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Preface 



ICICS2001, the Third International Conference on Information and Communi- 
cations Security, was held in Xi’an, China, 13-16 November 2001. Among the 
preceding conferences, ICICS’97 was held in Beijing, China, 11-14 November 
1997 and ICICS’99 in Sydney, Australia, 9-11 November 1999. The ICICS’97 
and ICICS’99 proceedings were released as volumes 1334 and 1726 of Springer- 
Verlag’s Lecture Notes in Computer Science series. 

ICICS2001 was sponsored by the Chinese Academy of Sciences (CAS), the Na- 
tional Natural Science Foundation of China, and the China Computer Fede- 
ration. The conference was organized by the Engineering Research Center for 
Information Security Technology of the Chinese Academy of Sciences (ERCIST, 
CAS) in co-operation with the International Association for Cryptologic Rese- 
arch (lACR), the International Communications and Information Security As- 
sociation (ICISA), and the Asiacrypt Steering Committee. 

The format of ICICS2001 was selected to cover the complete spectrum of in- 
formation and communications security, and to promote participant interaction. 
The sessions were designed to promote interaction between the major topics of 
the conference: theoretical foundations of security, secret sharing, network se- 
curity, authentication and identification, boolean functions and stream ciphers, 
security evaluation, signatures, block ciphers and public-key systems, informa- 
tion hiding, protocols and their analysis, and cryptanalysis. 

The 29-member Program Committee considered 134 submissions from 23 diffe- 
rent countries and regions, among them 56 papers were accepted for presentation. 
Each paper was carefully reviewed blindly by a minimum of three referees from 
the respective field. The accepted papers came from 17 different countries and 
areas, including some 17 papers from China, 7 from Korea, 5 each from Austra- 
lia and the USA, 3 each from Germany, Japan, Singapore, and Taiwan, 2 each 
from the UK, and 1 each from Finland, France, India, Israel, Italy, Portugal, 
Spain, and Thailand. We would like to take this opportunity to thank all who 
submitted papers to ICICS2001 and the authors of accepted papers for their 
excellent work in preparing the camera-ready manuscripts. 

We wish to thank the members of the program committee and reviewers for their 
effort in reviewing the papers in a short time and their great contribution to the 
conference in variety of ways. We are also pleased to thank Prof. Xizhen Ni, Dr. 
Yeping He, and the other members of the organizing committee for helping with 
many local details. Special thanks to Dr. Jianying Zhou of Oracle who took care 
of most of the tough work related to the publishing affairs. Finally, we would 
like to thank all the ICICS2001 participants, organizers, and contributors for 
their work in making the conference a successful one. 
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Security of Blind Discrete Log Signatures 
against Interactive Attacks 



Claus Peter Schnorr 

Fachbereiche Mathematik/Informatik, Universitat Frankfurt, PSF 111932, 
D-60054 Frankfurt am Main, Germany, schnorr@cs.uni-frankfurt.de 



Abstract. We present a novel parallel one-more signature forgery 
against blind Okamoto-Schnorr and blind Schnorr signatures in which 
an attacker interacts some I times with a legitimate signer and pro- 
duces from these interactions I -|- 1 signatures. Security against the 
new attack requires that the following ROS-problem is intractable: find 
an qverdetermined, solvable system of linear equations modulo q with 
random inhomogenities (right sides). 

There is an inherent weakness in the security result of Pointcheval 
AND Stern. Theorem 26 [PSOO] does not cover attacks with 4 paral- 
lel interactions for elliptic curves of order That would require the 
intractability of the ROS-problem, a plausible but novel complexity as- 
sumption. Conversely, assuming the intractability of the ROS-problem, 
we show that Schnorr signatures are secure in the random oracle and 
generic group model against the one-more signature forgery. 



1 Introduction and Summary 

We study the security of blind Schnorr signatures and blind Okamoto-Schnorr 
signatures against the one-more signature forgery in which an attacker interacts 
some I times with the legitimate signer and produces from these I interactions 
I + 1 signatures. Let these signatures be based on the discrete logarithm of an 
arbitrary group G of prime order q, e.g. an elliptic or hyperelliptic curve or 
a subgroup of units in Z* for a composite or prime module n. We introduce 
the novel parallel attack that succeeds in a one-more signature forgery against 
blind Schnorr signatures and blind Okamoto-Schnorr signatures with the same 
efficiency. The attack is in the Random Oracle and Generic Group Model (ROM 
+ GM) explained in Section 3. The new attack merely requires a solution of the 
ROS-problem, a possibly intractable problem: find an overdetermined, solvable 
system of linear equations modulo q with random inhomogenities. Specifically, 
given a system of t 3> / linear equations modulo q in I unknowns with random 
inhomogenities (right sides) find a solvable subsystem of ? -I- 1 equations — a 
solvable subsystem corresponds to a (/ -I- 1) x Lsubmatrix of rank 1. 

The new parallel attack has the interesting feature not to depend on the 
public key. Traditional security proofs do not seem to work in the presence of 
such an attack. Usually, traditional security proofs use the attacker to solve a 
DL-problem or a decisional Diffie-Hellman-problem associated with the public 
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key. However, the generic parallel attack uses a solution of the ROS-problem that 
is not related to the public key and thus the attacker cannot be used to solve 
a DL- or a DDH-problem. How could [PS00,PS96b] prove security ? Theorem 
26 of [PSOO] only covers cases where solutions of the ROS-problem exist with 
negligible probability. While Theorem 26 [PSOO] is optimal in the traditional 
security model, the new attack points to an inherent weakness of this result. 

Theorem 26 of [PSOO] shows that an attacker mounting a one-more signature 
forgery with a probability of success e > jq can be used to compute a 

discrete logarithm.^ Here Q is the number of hash queries, I is the number 
interactions with the signer and q is the prime order of the group G. For an 
elliptic curve G of order q « 2^°° and Q = 2®° we must have Z < 3 as e < 1. For 
a subgroup G of units of order < 2^°°° we must have Z < 20. The security for 
larger values of I is an open problem [PSOO]. Our generic parallel attack shows 
that the security of blind DL-signatures against one-more signature forgeries 
requires the intractability of the ROS-problem. The ROS-problem is related to 
a NP-complete problem [H97]. 

Conversely, assuming the intractability of the ROS-problem Theorem 2 gives 
a practical security guarantee for blind Schnorr signatures in the ROM -|- CM. A 
generic attacker performing t generic steps, including some I interactions with the 
signer, cannot produce I + 1 signatures with a better probability than (*) /q. For 
elliptic curves G of order q « 2^°° this guarantee covers up to t = 2^°° generic 
steps including up to 2^°° parallel signer interactions that can be interleaved 
in an arbitrary way. Blind Schnorr signatures have the same security level in 
the ROM -I- CM as the double-keyed blind Okamoto-Schnorr signatures, thus 
reducing a considerable overhead. 

Our result suggests to use blind Schnorr signatures in connection with strong 
elliptic/hyperelliptic curves rather than double-keyed blind Okamoto-Schnorr 
signatures with subgroups of units. We prove security of the most practical 
schemes under reasonable assumptions. The less practical schemes of [P98], [AO 
00] are provably secure for a polynomial number of interactions, but some re- 
strictions apply. ^ The security proofs of [P98], [AO 00] do not use the GM. The 
new attack does not apply to the less simple signatures of [AOl]. 

Is the GM-assumption to strong ? Gontrary to claims of previous anonymous 
referees we are not aware of a practical cryptographic scheme that is secure in the 

^ In terms of asymptotic bounds the security results of Pointcheval, Stern 
[PS96b,PS00] show that blind Okamoto-Schnorr signatures are secure against par- 
allel interactive attacks provided that the number of interactions with the signer is 
poly-logarithmic — polylog{\q\) for the binary length jgj of q. The polylog bound on 
the number of signer interactions has not been explicitly mentioned in [POO] but it 
is required as the proof is based on the results of [PSOO]. 

^ In [P98] a third party — the checker — has been introduced, and it is shown that 
the resulting three-party signature protocol is secure for a polynomial number of 
synchronized signer interactions, where the synchronization forces the completion of 
each step for all the different protocol invocations before the next step of any other 
invocation is started. The [AO 00] scheme uses the [P98] scheme, thus the same 
restrictions apply. 
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ROM + GM but is insecure in reality. [CGH98] give a very intricate example of 
a secure scheme in ROM (only) that does not have a secure implementation. Of 
course the random hash function must be independent of the generic group [FOO] . 
Moreover, Fischlin [FOO] shows that generic verifier zeroknowledge is provably 
weaker than black-box TM verifier zeroknowledge. There are two reasons [ScOlbj: 
firstly, generic verifiers are more restricted than TM- verifiers, secondly black- 
box simulators are less powerful than generic verifier simulators that control the 
generic group steps. Fischlin’s result does not amount to a security break as 
we do not know that generic verifier zeroknowledge is weaker than ’’general” 
TM-verifier zeroknowledge. The restriction via the black-box mode may be to 
rigid. 

The paper is organized as follows. We present in Section 2 blind Schnorr 
signatures and the novel parallel attack against blind Schnorr and against blind 
Okamoto-Schnorr signatures. We determine in Theorem 1 the probability for the 
existence of a solution for the ROS-problem. In Section 3 we describe the ROM 
-I- GM as introduced in [SJOOj. Assuming the intractability of the ROS-problem 
we give in Section 4, Theorem 2 a practical security guarantee for blind Schnorr 
signatures in the ROM -|- GM. 

2 Blind Schnorr Signatnres and the Parallel Attack 

We are interested in blind signatures as required for anomymous digital cash. 
Blind signatures are generated by an interaction with the signer who controls 
the secret signature key. 

Schnorr signatures refer to an arbitrary group G of prime order q and an 
arbitrary message space M . We describe signer interactions, an interactive pro- 
tocol that enables a user to generate Schnorr signatures of messages of its choice. 
We first describe the setting and the structure of the signatures, after which we 
review the protocol for generation of signatures. We also show how to generate 
blind signatures of the same type. Signatures will be based on an ideal hash 
function H : G x M — >■ Z^, where M is the set of messages. 

Private /public key pairs. The private key x of the signer is random in Z^. The 
corresponding public key is h = G G, a, random group element. We have 
X = logg h. 

Signatures. A Schnorr signature on a message m is a triple (m, c, z) G M x 
such that H{g^h~^,m) = c. For this paper, we let signatures (jn,c,z) comprise 
the message. 

Signing a message m G M: Pick a random r Gr Zg, compute (/”, c := H{g^, m) 
and z := r + cx. Output the signature: (m,c,z). The result is a valid 

signature since we have g^h~‘^ = = g”, and thus H{g^h~‘^,m) = c. We 

call a signature (m, c, z) constructed by this protocol a standard signature. 

A signer interaction is a three round interactive protocol between the signer and 
a user. The signer picks a random r Gr Zg and sends the commitment g^ to 
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the user. The user selects a challenge c € Zq and sends c. The signer responses 
by sending z := r + cx £ Zq. We let (r, c, z) G denote the signer interaction 
consisting of the signer’s random coin r, the user’s challenge c and the signer’s 
response z. A signer interaction (r, c, z) can be used to generate the standard 
signature (jn,c,z), where c := H{g^,m) or a transformation (jn,c',z') of this 
signature. 

Blind Signature Protocol. We call the signature protocol blind if it generates a sig- 
nature {m,c',z') that is statistically independent of the interaction (r,c,z) that 
provides the view of the signer. Lateron, blind signatures cannot be identified 
and related to the signer interaction. The blindness concept is from [CP92]. 

To generate a blind signature (m,P,z') the user picks random numbers 
a, [3 Gfl Zg, and responses to the commitment g'' by sending the challenge 
c = H{g^~^°'h^ ,m) + (3 £ Zq. After receiving z = r + cx £ Zq he computes 
z' = z + a, P = c — (3. 

Validity. For the output of the interaction (m, c', z') = (m, c — f3,z + a) we have 
g^ h~‘^ = g^+cx+aj.^-c+0 _ gr+afqp^ Hence H{g^ h~^ ,m) = c — P = c', and thus 
(to, c', z') is a valid signature. 

Blindness Property. The generated signature (to, c — P,z + a) is — for a constant 
interaction (r, c, z) — uniformly distributed over all signatures on message to due 
to the random a, P Gfl Zq. Each signature (to,c',z') is produced for a unique 
pair (a, P) : a = z' — z, P = c — c' . 



2.1 A New Parallel Attack against Blind Schnorr Signatures 

We present a variant of the attack that does not even use the generator g and 
the public key h. We first present the attack for Schnorr signatures. Thereafter, 
we extend it to Okamoto-Schnorr signatures. We show that Okamoto-Schnorr 
signatures do not protect better against the attack than plain Schnorr signatures. 
The new attack uses a solution of the following 

ROS-problem: Find an qverdetermined, solvable system of linear equations 
modulo q with random inhomogenities. Specifically, given an oracle random func- 
tion F : Zq — >• Zq, find coefficients ak,e G Zq and a solvable system of ^-1-1 distinct 
equations (1) in the unknowns Ci, ...,c/ over Z^: 

ak,ici + ... + ak,ici = F{ak,i,...,ak,i) for fc = 1, ..., t. (1) 

We evaluate the expected number of solvable subsystems consisting of / -I- 1 out 
of t equations (1). 

Theorem 1. For arbitrary coejficients £ Zq, the average number of solvable 
subsystems of 1+1 out of the t equations (1) is at most /q. For statistically 
independent coefficients ak,e £r Zq the average number of solvable subsystems 
is (1 - q~^ + 0{q-^)). 

Proof. Consider a constant selection of ^ -I- 1 out of the t equations (1) with 
arbitrary coefficients ak,e. Let the subsystem have s linearly independent vectors 
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Ofe,;) e Zg. The subsystem is solvable if and only if the rank of the 
submatrix of the corresponding vectors F{ak,i, ■■■,ak,i)) is s. The 

probability that the subsystem is solvable has a maximum q~^ for s = 1. For 
s = I the I linearly independent equations have a unique solution and that 
solution satisfies the remaining equation with probability q~^ ■ As there are 
selections out of t, the average number of solvable subsystems is at most (i^^)/q- 

Next, consider random coefficients &r Zq. Then I vectors Ofc,;) 

are linearly independent with probability (1 — — q~^) ■ ... • (1 — q~’’'^^). 

Hence, a constant selection of / + 1 equations (1) is solvable with probability 

Consider two distinct selections of Z + 1 equations. The solvability of two 
systems of / + 1 equations is (nearly) statistically independent as the systems 
differ in at least one random value F(ak,i, The law of large numbers 

holds for a sequence of pairwise independent, identically distributed random 
variables. Therefore, the expected number of solvable subsystems with I + 1 
equations is — q~^ + 0{q~‘^)). □ 

The attack against Schnorr signatures. The signer sends commitments gi = 
g ''^ , ..., gi = . The attacker A selects ak,i , ..., Ofc,/ € Zq and messages mi, ..., rrit, 

and computes fk = • ... • and H{fk, mu) for fc = 1, ..., t. Then A solves 

Z + 1 of the t equations (2) in the unknowns Ci, .., c; over Z^: 

H{fk,mk) = Y.\=i^k,tCi for fc = 1, ...,t. (2) 

A sends the solutions ci, ..., c; as challenges to the signer. The signer sends back 
zt := ri + cix G Zg for f = 1, .., Z. For each solved equation (2), the attacker gets 
a valid signature {nik, c')., z'l^) by setting 

Cfe ■= ^k,i Ci = H{fk, mk) and 4 Z)Li <^k,eZi- 
Correctness. The equations (2) imply that 

. ... . = /^ and H{g^'kh-‘^'k,mk) = c'^. 

In the ROM the values H{fk,nik) are random. The coefficients ak,i selected 
by the attacker are arbitrary values. The solution (ci,...,c/) of Z + 1 of the t 
equations (2) does not depend on g, h. As A does not use g, h, A cannot help in 
black-box mode to compute logg h or to solve a Diffie-Hellman or a decisional 
Diffie-Hellman problem related to h. 

The new attack is generic, it works for arbitrary groups with an efficient 
multiplication. We call it the generic, parallel attack. The attack is intrinsic 
parallel. Theorem 1 shows that the number Z of parallel interactions with the 
signer must be at least logarithmic in q. Otherwise, the probability {i^^/q for 
the existence of a solvable subsystem of Z -I- 1 equations (2) is negligible. 

The attack against Okamoto- Schnorr signatures. We follow the notation of 
[PSOO]. There are two public keys h and y = g~^h~^ for random secret keys 
r,s Zq while loggh is unknown. A signature of message m is a tuple 
{m,s,a,p) G M X Zq satisfying H{gkh^y^ ,m) = e. 
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The signer picks random ti,ui Gr and sends commitments gi = for 

£ = 1, 1. The attacker A selects coefficients ak,i G Z, and messages mi, mt, 
and computes fk = gi'‘’^ ■ ■ g1''‘’‘ and H{fk, nik) for k = 1, t. A solves I + 1 

of the t linear equations (2) modulo q in the unknowns A sends the 

solutions Cl, ..., Cl as challenges to the signer. The signer sends back Rt := ti+cir, 
Si := Ui + CIS G Zq for f = 1, 1. For each solved equation (2) A gets a valid 
signature {mk,ek, Pk,crk) by setting 

^k — a{,fk: kklk^ — ^^i—l ^k,£ Pk — ^k,£ ^k — ^k^£ Si- 

Correctness. From the equations (2) we get that 

gPkh,<^kyek = = fk and H{gP^h'^’‘y‘^Cmk) = Sk- 

Conclusion. The generic parallel attack A does not use the public g, h,y. Thus, 
it is impossible to use a successful attacker to solve a DL- DH- or DDH-problem. 
The generic, parallel attack has been excluded in Theorem 26 [PSOO] by assuming 
that the attacker has a probability of success which is greater than the 

probability {i^i)/q for the existence of a solvable subsystem of ? + 1 equations 
(2). The second part of Theorem 1 shows that solutions to the ROS-problem are 
very likely to exist for / = 4, t = 2®° and q « The generic parallel attack 
is possible for I = 4 parallel interactions, t = 2®° hash queries for elliptic curves 
of order q « 2^^^. A meaningful security guarantee for elliptic curves of order 
« 2^°° requires that solvable subsystems of / + 1 equations (2) are hard to find. 

3 The Random Oracle and the Generic Gronp Model 

The Random Oracle Model (ROM). Let G be a group of prime order q 
with generator g, a range M of messages, and let Z^ denote the field of integers 
modulo q. Let H be an ideal hash function with range Z^, modelled as an oracle 
that given an input (query) in G x M, outputs a random number in Z^. Formally, 
H is a random function H : G x M ^ Zg chosen at random over all functions 
of that type with uniform probability distribution. 

The Generic Group Model (GM). Generic algorithms for G do not use the 
binary encodings of the group elements, as they access group elements only for 
group operations and equality tests. Nechaev [Ne94] proves that the discrete 
logarithm problem is hard in such a model, see [ScOla] for a stronger result. 
The generic model of algorithms was further elaborated on by Shoup [Sh97]. 
We present the Shoup model in a slightly different setup^ and we extend it 

® We count the same generic steps as in [Sh97]; however, we allow arbitrary multi- 
variate exponentiations while Shoup merely uses multiplication and division. The 
technical setup in [Sh97] looks different as groups G are additive and associated with 
a random injective encoding a : G — >■ S' of the group G into a set S of bit strings — 
the generic algorithm performs arbitrary computations on these bit strings. Addi- 
tion/subtraction is done by an oracle that computes a{fi±fj) when given cr(/i), a{fj) 
and the specified sign bit. As the encoding a is random it contains only the informa- 
tion about which group elements coincide — this is what we call the set of collisions. 
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to algorithms that interact with a decryption oracle. Encryptions are for the 
private/public key pair (x,h), where x is random in Zq and h = g^. We describe 
the extended generic model in detail, first focusing on non-interactive algorithms 
and thereafter on algorithms interacting with oracles for hashing and signing. 

The data of a generic algorithm is partitioned into group elements in G and 
non-group data. The generic steps for group elements are multivariate exponen- 
tiations: 

• mex: X ^ G, {ai,...,ad,gi,...,gd) ^lligt" with d > 0. 

The cases d = 2, oi = 1 , 02 = ±1 present multiplication/division. The case d = 0 
presents inputs in G — e.g., g, h are inputs for the DL-computation. 

Def. A (non-interactive) generic algorithm is a sequence of t generic steps'* 

• ./i, . . . , ft' G G (inputs) l<t' <t, 

• fi = npi //" for i = t' + 1,... ,t, where (ai, . . . , at-i) G Z*“* depends 

arbitrarily on i, the non-group input and the set COi-i := \ 

fj = fi, 1 < J < — 1} of previous collisions of group elements. 

Typical non-group inputs are various integers in Zq contained in given cipher- 
texts or signatures. COt is the set of all collisions of the algorithm. 

Some group inputs ft depend on random coin flips, e.g., the random public 
key h = g^ depends on the random secret key x Zq. The probability space 
consists of the random group elements of the input. The logarithms log^ ft of the 
random inputs ft play the role of secret parameters. Information about the secret 
parameters can only be revealed by collisions. E.g., g°- = f\ implies log^ ft = ajb. 
We let the non-group input and the generator g not depend on random bits. 
The output of a generic algorithm consists of 

• non-group data that depend arbitrarily on the non-group input and on the 
set COt of all collisions, 

• group elements f^^ , ■ ■ ■ , fad where the integers (Ti, . . . , (7^ G {1, . . . , t} 
depend arbitrarily on the non-group input and on COt. 

Next, we elaborate on interactive, generic algorithms. We count the following 
generic steps : 

• group operations, mex: x G'* -)> G, {ai, ...,Od, gi, ■■■, gd) ^ YlidT^ 

• queries to the hash oracle H , 

• interactions with a signature oracle (signer for short). 

A generic adversary A — mounting a one-more signature forgery — is an 
interactive algorithm that interacts with a signer. It performs some t generic 
steps resulting in t' < t group elements fi,..., ff. A iteratively selects the next 
generic step — a group operation, a query to H, an interaction with the signer 

Shoup’s random encoding allows for an efficient sorting of group elements. We do 
not need such efficient sorting as equality tests are for free. 

• We can allow that the number t of generic steps varies with the input. We can let 
the algorithm decide after each step whether to terminate depending arbitrarily on 
the given non-group data. 
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— depending arbitrarily on the non-group input and on previous collisions of 
group elements. 

The input consists of the generator g, the public key h € G, the group order 
q, a collection of messages and ciphertexts and so on, all of which can be broken 
down into group elements and non-group data. 

The computed group elements fi, ft’ € G are the group elements contained 
in the input, such as g, h. When counting the number of group operations, we 
count each input as one operation. As a signer interaction is counted as a generic 
step the number t' of group elements is bounded by the number t of generic steps, 
t' < t. We have t = t' for a non-interactive A. 

The given non-group data consists of the non-group data contained in the 
input, the previous hash replies H{Q) of queries Q, and the set of previous 
collisions of group elements. Signer interactions are described in Section 2. 

A’s output and transmission to the signer consists of non-group data NG and 
previously computed group elements /o-, where NG and a, \ < a <t' , depend 
arbitrarily on given non-group data. 

A’s transmission to the hash oracle H depends arbitrarily on given group 
elements and given non-group data. The probability space consists of the random 
H , the random input group elements and the random coin flips of the signer. 

The restriction of the generic model is that A can use group elements only 
for generic group operations, equality tests and for queries to the hash oracle, 
whereas non-group data can be arbitrarily used without charge. The computed 
group elements fi,---,ft' are given as explicit multiplicative combinations of 
given group elements. Let gi = for £ = 1, I be the group elements that A 
gets from the signer. A computed fj G G is of the form fj = • ... • 

where the exponents G Zq depend arbitrarily on given non- 
group data. A can arbitrarily use the coefficients aj^i from this explicit 

representation of fj. A generic adversary does not use internal coin flips, this is 
not a restriction as internal coin flips would be useless.® 

Trivial collisions. We call a collision (i,j) G CG>t trivial if ft = fj holds 
with probability 1, i.e., if it holds for all choices of the secret data such as the 
secret key x and the random bits r of the encipherer. We write ft = fj for a 
trivial collision. Trivial collisions do not release any information about the secret 
data while non-trivial collisions can completely release some secret data. Trivial 
collisions can be excluded from COt. Therefore, we ignore trivial collisions. 



® A could select interior coin flips that maximize the probability of success — there is 
always a choice for the internal coin flips that does not decrease A’s probability of 
success. Moreover, it would be useless for A to generate random group elements — in 
particular ones with unknown DL. Using one generic step, A could replace random 
elements in G by some deterministic where a G Zq is chosen as to maximize the 
probability of success. 
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4 Security of Signatures against Interactive Attacks 

Assuming the intractability of the ROS-problem and the ROM + GM we give 
in Theorem 2 a practical security guarantee for blind Schnorr signatures against 
one-more signature forgeries. 

This section refers to a generic adversary A performing some t generic steps 
— including some I interactions (ri, ci, (r;, c;, zj) with the signer — pro- 

ducing some t' group elements and some t” queries to the hash oracle. We let 
r = (ri,...,rj) denote the signers random coins. Let fi = g, f 2 = h = g^, 
fa, ■■■ft' G G denote the group elements of M’s computation. The generic A com- 
putes fj = , _ _ , ^ where g\ = = g^‘ are the signer’s 

commitments and the exponents aj^i G depend arbitrarily on the previously 
computed non-group data. As each signer interaction yields one group element 
g'^‘ we have that t” = t — t' > 0 is the number of interactions with the hash ora- 
cle. We first present the basic Lemma 1 and 2 that extend results of [SJOO] from 
a non-interactive attacker to an adversary using a hash oracle and a signature 
oracle. 

Lemma 1. Collisions among fi , ..., fn occur at most with probability {\)/q^ The 
probability refers to the random h, H and the random coins r of the signer. 

Proof. We show for i < j that Pr^^r.Hifi = fj] < ^ under the condition that 
there is no prior collision of group elements. So let us assume that there is no 
such prior collision. The main point is to show that fi, fj are either statisti- 
cally independent or fi/ fj is constant with fi ^ fj. Considering x and ri,...,ri 
as indeterminates over Z^, log^ fj = -I- ^ linear 

polynomial in Zq[x, ri, ..., r/]. 

For a non-interactive A, where I = 0 and r = (ri, ..., n) is empty we have fi = 
fj iff Qi^-i — ttj^-i (uifl — ajfi) X = 0. Therefore, x is statistically independent 
of the Qi^ijOj^e, and thus Pr^^nifi = fj] < 

Next, consider an interactive A. We call r^, prior to fj if the value Uj^j 
depends on the signer’s response zi = ri-\- c^x, otherwise ri is subsequent to fj. 
When given fj = g'^t,-th°‘i,o g/to . _ probability space — from M’s point 

of view — consists of x, H and the ri subsequent to fj. The r^ = Z( — CjX prior 
to fj are linear functions in x, with given coefficients Z£, C(. Consider log^ fj = 

aj^-i + Oj,o + ^ linear function in x and the subsequent to fj. 

The coefficients Qj^£, C£, Z£ G Zg depend on x, iL, r only via prior V£ and prior hash 
values. Thus x is statistically independent of the given coefficients. Therefore, the 
values of the function log^ fi—logg fj are either constant or uniformly distributed 
over Zq . The case that log^ fi — logg fj = 0 for all x and all r£ subsequent to 
fj has been excluded as fi ^ fj. This shows that Pr 2 ,_r Mfi = fj] < which 
implies the claim of Lemma 1 as there are ( 2 ) pairs i < j. □ 

Lemma 2. If there are no collisions among /i,. ..,/*/ the random x is statisti- 
cally independent of the computed non-group data except that the random coins 
(r, x) leading to collisions are excluded. 

® The equality fi = fj holds with zero probability if ai,_i Cj.-i and Uifi — ajp. As 
fj ^ fi we cannot have that (ui^-i, mp) = (aj,-i, Ujp). 
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Proof. The random x enters into the generic computation only via the the ran- 
dom values Zi = Ti + cex, random hash values and h = . In a, signer interaction 

A gets the pair Due to the random ri the distribution of zi does not 

depend on h = g^ . The probability distribution of the non-group data gener- 
ated from hash values and signer responses does not depend on x. Therefore, x 
is statistically independent of all non-group data {h = g^ is NOT statistically 
independent of {g‘^^,zi), however g^‘ enters into the computation of non-group 
data only by collisions of group elements and via random hash values). □ 

Theorem 2 shows that Schnorr signatures are secure against the one-more 
signature forgery in the ROM -|- GM. Theorem 2 covers blind signatures as 
required for anonymous electronic cash. This is the first sharp security result for 
simple DL-signatures in the interactive setting. 

Theorem 2. Let a generic adversary A he given the generator g, the public key 
h, an oracle for H . Let A interact with the signer some I times and perform t 
generic steps including I signer interactions. Lf A succeeds in a parallel attack 
to produce I + 1 signatures with a better probability of success than (*) /q then A 
must solve the AOS-problem : solve I + 1 distinct equations (2) in the unknowns 
Cl,..., Cl € Zq. The probability space consists of h, H and the random coins of 
the signer. 

Proof. In the interaction (ri,ci,zi) the signer correctly transmits g^ := g''^ and 
responds to M’s challenge by Zi = ri + cix. It is assumed that A outputs 
distinct triples {mi, ci, z'f) € M y. for i= 1, ..., l + l. We study the probability 
that the I + 1 outputs are all signatures. Let there be t" (distinct) queries to the 
hash oracle resulting in independent hash values , mk) G Zq for k = 1, ..., t" 

for an arbitrary function k (Tu that selects fa^, from the computed group 
elements fj. Lemma 3 shows that the group element g^*h~‘^* corresponding to a 
signature {m^,c!^,z[) must be among f„^, ..., f^^,, . We let = g^*h~‘^K 

Lemma 3. Let the output {mi,c'i,z[) be a signature with a better probability 
than Then we have that c' = H{f„^,mi) for some hash query satisfying f„i = 

g^ih~'^i . Moreover, c', z[, satisfy the equations z[ = flo-j,-! + Zi and 

Conversely, given a solution (ci, ..., c;) of equation (3) one easily gets a signature 
{mi,c'i,z'i) for each solved equation. 

Proof. The first claim follows from the equation c( = H{g^*h~’^i ,mi) required 
for signatures {mi,c[,z[). In the ROM this equation necessitates that A selects 
c' from given hash values H{f„,^,mk) — otherwise the equality only holds with 
probability | as the hash value is random. W.l.o.g. let c' = H{f„^,rrii) where 

fa-i = g^'h~'^' holds for the output {mi,c'^,z'j) which determines ai. ^ The equa- 
tions g^'ih~^i = f„^ = jjnply 

^ For simplicity we abbreviate f^ = even though that equation only holds 

a posteriori. The output {mi,c'i,z'i) defines ai except that there is a collision 
Hifai,mi) = H{faj,mj) with mi = mj. 
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Z'i = 

z[ = flcTi,-! + + (a<Ti,o - Z^Li +c')a;, (4) 

If c' = — UcTijO + Yl\=i Cl then A can easily compute the correct z[ . In this 

case, the equation (4) does not depend on the secret key x and we have z[ = 
Oo-i,-! + where the signers responses zi, ..., Zi and the coefficients 

are known to A. 

Conversely, A must select Ci, ..., c; as to zero the coefficient of the secret key 
X in (4). Otherwise, Equation (4) holds with probability 4 as a; is by Lemma 2 
statistically independent of the non-group data z', ..., Oo-j.z, ci, ..., cp and 

thus ^’s probability of success is not better than This proves that A must 
solve the equation □ 

We see that the parallel attacker A can only succeed in either of four cases: 

• A solves I + 1 out of t" distinct equations 

C£. (3) 

Each solved equation (3) yields a corresponding signature (mi,c'^,z'j) by 
setting z' = Oo-j,-! + This is the generic, parallel attack. 

• For some i, 1 < i < ? -I- 1 equation (3) does not hold but equation (4) holds. 
This event has probability K 

• There is a collision of group elements. This event has probability < ( 2 ) /q. 

• There is a collision of hash values = H{faj , crij), where rrii = rrij, 

f<Ti fcTj and Oo.,,o = a<r,,o> In this case the equations 

/t"\ 

(3) with indices i and j coincide. This event has probability < ( 2 ) /?• 

W.l.o.g. we can assume that t' , t" > 1, and thus ( 2 ) + (* 2 ) + 1 ^ (I)- We see that 
A succeeds in the last three cases with no better probability than {l)/q. This 
proves Theorem 2 as ^ does not succeed with a better probability than (*) / q, 
except that A solves I + 1 out of t" distinct equations (3). □ 

Security against sequential attacks. It can be seen from the above proof that a 
sequential attack cannot succeed in the GM -|- ROM with a better probability 
than {l)/q. Here, the intractability of the ROS-problem is not needed. This 
characterizes the different power of sequential and of parallel attacks. 

For a sequence of I sequential attacks, each with a single signer interaction, 
A selects the coefficients ai^i in (3) such that there is for each k at most one 
non-zero coefficient with ^>l. 
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Abstract. An intelligent intruder model is proposed in this paper. Ex- 
cept for the algebraic abilities to process messages like the Dolev-Yao 
intruder, it can decide when to generate what terms and whether or not 
to launch a new session, which principal to choose, and what roles the 
principal will play based on some strand-added rules. By this heuristic 
method, we can get a finite state space without the explicit conhguration 
needed by most model checking tools. 



1 Introduction 

Security protocols are used to achieve secure communication over public network 
by exploiting cryptography in protocol message, and with the rapid growth of 
Internet, it plays a more and more important role in some security-critical ses- 
sions, such as electronic commerce. They may involve 2-5 message to exchange, 
but their design and analysis are notoriously complex and error-prone [1], and 
some of them are found to have flaws after many years they have been published 
[ 2 ]. 

Because of the subtlety to reason about the correctness of security protocols, 
a lot of researchers have turned to formal methods to analysis security protocols. 
Three main approaches exist. The first one is logic method that use belief logic to 
express and deduce security properties, such as BAN [3] and Theory Generator 
[4] that is a tool to automate deduction process. The second kind of approach 
is based on model checking or state spaces exploration [5,6,7], and they are 
automatic completely and can give counterexamples when flaw is found. The 
third approach depends on theorem proof [8,9] which are difficult to use but can 
prove the correctness of the protocol. 

In order to make the analysis procedure tractable, all above methods rely on 
an ideal model called Dolev-Yao model [10]. This model make two assumptions: 
one is perfect encryption, that is, one can get plain text from cipher only if using 
corresponding key, and the other is the set of actions probably taken by intruder 
which can be applied nondeterministically during the protocol execution. The 
intruder is generally called Dolev-Yao intruder which can intercept any messages 
from network, decompose a message into parts and remember them, generate 
fresh data as needed, compose a new messages from known information, send 
a new message. At each step of protocol execution, the intruder can choose 
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one from those actions nondeterministically. In [11], Cervesato gives a standard 
presentation of Dolve-Yao model by using multiset rewriting with existential 
quantification. Another intruder model is called Machiavelli [12] which is proved 
to be equivalent with Dolve-Yao Intruder. 

Dolev-Yao intruders take full control of the network and are very powerful, 
but Dolve-Yao intruder model just specify how to process a message for an 
intruder, such as to compose or to decompose a message. However, it does not 
tell what message to process and when to process a particular kind of message. 
So we call Dolve-Yao intruder model as algebraic intruder model. In this paper, 
we propose an intelligent intruder model used by state space exploration method 
based on dynamic strand spaces. 

The remainder of this paper is organized as follows. In section 2, we will model 
the security protocol execution by using the state space exploration method 
based on dynamic strand spaces; In section 3, we will formulate and discuss the 
intelligent intruder model. At last, we conclude all paper in section 4. 



2 Model the Security Protocol 

In this section, we will first give the basic notions needed in this paper and 
extend strand space model [9] into a dynamic one. Strand space model is a new 
way used to analysis protocol in which the exact causal relations between events 
are considered so the proof procedure of a protocol’s property is much simpler 
than that based on trace based model. In addition, strand space model has also 
been used as the basis of model checking tool, such as Athena [13]. And then we 
describe the state structure based dynamic strand space model. 

2.1 Basic Notions 

Here, we use term to represent the message exchanged by protocol participants, 
and the smallest term is atomic term that can not be divided any more. The 
formal definition is as the following. 

Definition 1. Let Sname be the set of protocol principal, Sks the key set for 
symmetric cryptography, Skp the key set for public key cryptography, and Snonce 
be the set of nonces. A is the atomic terms term set, A=Sname^Sksk>Skpk)Snonce- 

For brevity, we limit our discussion to just these three kinds of atomic messages, 
and other atomic term can be appended the above definition easily without 
affecting our analysis substantially. 

Definition 2. Let M he the set of all possible terms, then it can be defined 
inductively over atomic terms A as follows: 

1. If a € A, then a G M . 

2. If mi G M and m 2 G M, then mi ■ m 2 G M . 

3. If m G M and k G Sks U Skp, then mk G M. 



And each atomic term in m, m G M , is called an element of m. 
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Definition 3. Let m € M , checkpart(m) indicate the set of elements that is 
checked by protocol participant to determine whether m is acceptable; infopart(m) 
is the set of elements that make protocol participants learn more information. 

We distinguish between these two parts of a term so as to know what parts 
in a term must be kept and what can be changed when intruder generates new 
terms. For example, the principal checks the nonce field to justify whether it is 
a valid term, and then get an account number from this term, thus he can debit 
some money from this account. 

Definition 4. The space of term m, denoted as space(m), is the set of terms in 
which every element has the same check part with m, that is, forVt G space(m), 
checkpart(m) = checkpart(t) is satisfied. And the dimension o/space(m) is the 
ordinal o/ infopart(m), and bigger dimension means a big term set. 

Definition 5. Let mi G M and m 2 G M , m\ is equivalent with m 2 , denoted as 
mi = m 2 , if mi G space(m 2 ) and m 2 G space(mi). So if mi can be accepted by a 
principal, m 2 can be accepted by the same principal too, thus these two messages 
are equivalent with each other. 

Based on the term equivalence, we can model all possible terms constructed 
by intruder that can be accepted by an honest principal. This is useful for state 
space exploration tool that is based on forward search. 



2.2 Dynamic Strand Space Model 

In [9], strand is static and can not characterize the features of protocol execution 
since strand space is a proof based method at beginning. In this subsection, we 
will enhance the strand space model with dynamic features by introducing the 
notions of active node. 

Definition 6. A protocol role is defined by protocol specification and its behavior 
is determined by a sequence of events composed of < +a > or < —a > for 
a G M , that is, term a is sent or received. All atomic terms in the event trace 
are parameters that need be instantiated when protocol executing. 

Definition 7. A strand s is an instance of protocol role. Lts corresponding event 
trace is denoted as tr{s). A strand can be treated as a chained graph, and every 
signed term is a node of the graph, that is a node is a pair of < s,i >, 1 < z < 
length{tr{s)) . 

Definition 8. An active node is a node n in strand s and it indicates that s 
prepare to execute this node. Lf n =< s,i > is an active node of s, then next 
active node will be < s,i + 1 >, with 1 < i < length{tr{s)) . Lf term{n) = —a, 
then this active node n is waiting to receive a term a; Lf term{n) = +a, then 
this active node n will send a term a. 
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Definition 9. A dynamic strand space consists of a set of strand 

1. For nodes < s,i > and < s, i + 1 >, there exists < s,i >=i>< s, i + 1 >. N 
denotes the set of nodes. 

2. Let Si G and S 2 G ifterm{< s\,i >) = +a andterm{< S 2 ,j >) = —a, 
then there exists < si,i > — X S 2 ,j >■ 

3. For s G X); there must be a node that is active on s, and if the active node 

is the last one of s, then s is a complete strand, or s is still in the progress 

of execution. A strand with active node is called dynamic strand. 

So dynamic strand space is a dynamic graph {N, Active, (^=> U — >■)) where 
Active is the set of active nodes in the strand space. 

Definition 10. A bundle is subgraph of strand space, denoted by C = {Nc, (=i> 
U — >■)), and the following properties hold : 

1. If < s,i >G C, then Wn G s, n £ C . 

2. If < si,i >G C and < si,i > — X S 2 ,j > hold, then < S 2 ,j >G C. 

This definition is different from the one in [9], and it is more suitable to 

construct bundles automatically. 

2.3 Computation Model of Security Protocol 

In this subsection, we describe a computation model of security protocol used in 
this paper that is based on dynamic strand space model and exploited by forward 
state space exploration. The state structure of this model define as follows : 

Definition 11. A state is a tuple < C, Active, I , — », where 

1. C is a bundle, and it become complete until the final state is reached, or it is 
an illegal bundle. An incomplete bundle means that there are some negative 
nodes in strand but no edge — > incident with it. An illegal bundle is an 
incomplete one that can not become complete from the current state. At the 
first state, C just contains an intruder strand that is empty. 

2. Active is the set of active nodes in bundle C, and each strand in C can has 
an active node. At final state. Active is empty. The active node is mainly 
used to determine the accepted term of each strand in C . 

3. I is an intruder model that will be described in the next section. 

4 . — > is a binary relation. For n\ G C and U 2 G C , if n\ — > U 2 , then 
(ni,ri 2 ) G C, so — > help us to keep track of the evolution of the bundle C, 
thus when the final state is reached, we can complete the bundle and get an 
attack to this protocol if it exists. At the initial state, — > is empty. 

Proposition 1. If Active is empty in a state < C, Active, I , — », then this 
state is a final state and by substituting — > of this state for — > in C, we can 
get a complete bundle. If C contains the intruder strand, then it is an attack, or 
it is a regular bundle. 
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3 Formulate the Intruder Model 

In this section, we will give the intruder model that is more intelligent than the 
algebraic intruder model in the literatures. This intruder model still take full 
control over the communication network, and it can do everything Dolev-Yao 
intruder is allowed to do, so it is al least as powerful as Dolev-Yao intruder model. 
Moreover, it has the ability to decide when to generate what terms and decide 
whether or not to initiate a new session with a principal and how to choose the 
principal as well as what roles the principal will play. 

3.1 The Structure of the Intruder Model 

The structure of intelligent intruder model consists of three parts, that is terms 
processor, rule bases and knowledge bases. Fig.l gives its structure. There are 




^ Control Path 



> Data Path 

Fig. 1. The Structure of Intelligent Intruder Model 



five direct edges in the structure, and the direct edge can indicate the direction 
of information flow. The edge 1 represent that terms in network are intercepted 
by intruder, and by terms processor, the intruder can decompose these terms 
and put these terms’ elements into its knowledge bases by the edge 2. According 
to the state of knowledge bases by edge 3, rule bases decide what action the 
intruder will take, and this is done by edge 4. If the intruder need to generate 
new terms, then terms generator get the terms element needed from knowledge 
bases by edge 2, that is edge 2 is bidirection. At last, the new term is sent to 
network by edge 5, so the terml and term2 in figure 2 maybe are different, but 
also can be same, and in this case the intruder does nothing to the term. 

In addition, the edges can be divided into two classes, control path and 
data path. In figure I, edge I, 2, and 5 are data paths in which real terms are 
transmitted; edge 3, 4 are control paths which can transmit control information 
such as the information used to decide what term is generated by Intruder. 

3.2 Knowledge Bases 

Knowledge bases in the intelligent model contain the information known up to 
now by the intruder during the execution procedure of the protocol. Below we 
will introduce the structure of knowledge bases. 
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Definition 12. Knowledge bases is a tuple < PS, Key, Nonce, Msg >, where 

1. PS contains the state information related to the corresponding participants, 
and it is a set and each element in which is < Name, Role, Session >, where 
the Name is the principal’s identifier, Name G Sname- And Role indicates 
what role the principal will play which decides a strand for this principal, such 
as initiator strand or responder strand. Session can distinguish the different 
instances the same principal takes part in because the same principal maybe 
appear many times in the same bundle. At initial state, PS is empty. 

2. Key is the set of keys known by the intruder which includes all principals’ 
public keys, and the keys owned by the intruder, such as his private hey or 
shared keys with other honest principals. Each element in Key is a predi- 
cate, that is, k := pubKA\privKA\shKAB where A and B are the principal 
variable that can be instantiated by any principal in PS and three predicate 
represent public key, private key or shared key respectively. At initial state. 
Key contains only intruder’s keys. 

3. Nonce is a set of nonces learned by the intruder in this bundle. An nonce is 
the number random generated by principal and can not be guessed by non- 
intended receivers and the intruder so as to guarantee the term just received 
is fresh. In order to model its uniqueness, each element is defined as a tuple 
< Name, Session, No > in which the Name tells which principal produce 
the nonce in which Session. Maybe the principal will generate many nonces 
in one strand, so the nonce sequence number indicated by No can model this 
case. At last, the Name must belong to PS or be the intruder itself. At initial 
state. Nonce contains nothing. 

j. Msg is the set of compound terms that can not be divided into atomic terms 
by intruder according to its knowledge for example the intruder lacks of the 
suitable decryption key for a encrypted term. At initial state, Msg is empty. 

Knowledge bases are dynamic during the protocol execution that need to be 
updated when the intruder intercepts new terms or the intruder initiates a new 
session. And the update rules will be describe in the following two sections. 



3.3 Terms Processor 

Terms processor is composed of two parts, and one is terms decomposer, the 
other terms composer. Terms decomposer can divide the terms intercepted from 
network into the smallest terms, and it may not be the atomic terms. Terms 
composer is used to generate the new terms from the knowledge the intruder 
has known up to now. Moreover, the first part is a decidable procedure, that is, 
given a term, it can be divided into subterms in a unique way, and the latter 
is undecidable because the intruder can generate infinite new terms from the 
current knowledge bases by using encryption and composition operations infinite 
times. 

Four rules are used to decompose the intercepted terms by terms decomposer, 
called decomposition rules. Let m be the intercepted terms, k G Sks U Skp, and 
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Key the key set in knowledge bases. The Decomposition{m) function based on 
these rules looks as following: 
procedure Decomposition{m) 

{ 

if m € A, then Add{m); 

If m = nil ■ m 2 , then Add{mi) and Add{m 2 )', 

If m = m/fc and ^ Key, then Add{mf); 

If m = m/fc and k~^ G Key, then Add{m); 

} 

The function Add{m) adds a term m to the knowledge bases that can be 
defined as the following: 
procedure Add(m) 

{ 

if m € Sname , then 

add nothing; //the PS is update when protocol instances is created, 
if m G Snonce, then 

add m to set Nonce by the proper form; 
if m G Sks U Skp, then 

add m to set Key by the proper form; 
for each t G Msg, 
decomposition{t); 
otherwise, 

add m to set Msg. 

} 

The process of generating a new term is very complex, and it needs a term 
template to decide what kind of terms to produce. The term space can be used 
as the template, so it is critical to get a finite space(jn). The basic composition 
rules are defined as follows: 

Definition 13. Let I indicate the union of all sets in knowledge bases, then 

1. If I \- m, m G I ; (extend meaning) 

2. If I mi and I h m 2 , then I h mi • m 2 ; 

3. If I \- m and I \~ k , then I h mfc/ 

In fact, we can decompose each element in space(m) according to the knowl- 
edge bases of the intruder, and if all subterms can be found in the corresponding 
set of the knowledge bases, then this element can be generated by intruder using 
its known knowledge. 

If term m can be derived from the knowledge bases of the intruder, there exist 
a unique normal derivation only if every decomposition rule occurs before every 
composition rule [5], so term decomposer should be used before term composer 
in order to get a unique derivation. 
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3.4 Rule Bases 

Rule bases are the just part related to the intelligence of the intruder. Some 
researcher have presented some principles for security protocol design [14] that 
can be used to enhance the intruder’s intelligence. In this subsection, we will 
describe the rules used by intruder to decide when to generate what terms and 
decide whether or not to initiate a new session with a principal and how to 
choose the principal as well as what role the principal will play. 

The temporal feature of the protocol execution in the state exploration 
method introduced in this paper is characterized by the set of active node in 
a state each element in which can decide the term accepted by the involved par- 
ticipant, so for each term t decided by an active node, space{t) indicates the set 
of terms acceptable to the corresponding participant with the different attack 
effects. 

In our model, the protocol execution must be launched by the intruder. At 
each time, the intruder initiates a new session, it will update the principal state 
PS in knowledge bases, that is, the principal name, its role and the session it is 
taking part in as well as the set Key by adding its public key. If it launch a new 
session with the principal as a responder, then it will impersonate the initiator 
and if as an initiator, it will play the responder role. 

Moreover, the following rules are used to initiate a new session, called strand- 
added rules, that is, adding a strand to the set C in a state which are drawn 
from [14,15,16]. 

— Man-in-middle attack. If the intruder intercepts the first term from initiator, 
then it will produce the next states by adding the responder strand with its 
owner other than initiator principal; Moreover, space{t) where t is the term 
described in parametric responder strand is used to characterize the terms 
for the different responder strand instances and each results in a different 
successive state. For examples, naming attack in [14] and attack on case c 
in [16] belong to this case. 

— No responder attack. If the intruder intercepts the first term from initiator, 
then it will produce the successive states by adding the responder strands 
with its owner same to initiator principal; Similarly, space(t) is used to char- 
acterize the terms for the different responder strand instances. The attacks 
for this case include parallel session attacks in [15]. 

— No initiator attack. In this case, the intruder impersonates the initiator with- 
out invoving the initiator in protocol execution such as attack on B in [16] 
and freshness attacks in [15]. And, space{t) is still used to produce the dif- 
ferent responder strand instances. 

Certainly, the above rules can not cover all attack patterns, but the new 
pattern can be afforded easily. In the first case, the intruder has to generate 
appropriate terms for initiator and responder at the same time that is man-in- 
middle attack. In the second case, the intruder disguises as a responder talking to 
initiator and no real responder is present. At last case, the intruder impersonates 
the initiator to talk with responder. 
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3.5 Discussions about the Intelligent Intruder 

The intelligent intruder takes the full control over the network like Dolev-Yao 
intruder, and also have the algebraic ability to intercept, remember and gener- 
ate new messages, so it is as powerful as Dolev-Yao intruder. In present protocol 
analysis methods based on model checking, some protocol parameters, such as 
the numbers of principal, have to be configured previously in order to get a fi- 
nite state space. As a result, if no attacks are found, it just prove the protocol is 
correct under this small configuration, that is, it can not guarantee the correct- 
ness of general protocol execution. Depending on the term space, the intelligent 
intruder can help to limit the numbers of the terms to generate at a protocol 
execution step, that is to bind the numbers of types of bundle for the security 
protocols. And using strand added rules, the intelligent intruder can limit the 
bundle size by just adding a new strand with different attack effect, that is, with 
different attack patterns. Thus, it can help to get a finite state space by limiting 
the bundle types and bundle size without an explicit configuration, so it is more 
flexible to protocol analysis methods based on state space exploration. Moreover, 
the rules used by intruder to add strand can be extended easily when some new 
attack patterns are found in the future. 

4 Conclusion 

In this paper, we propose an intruder model that is more intelligent compared to 
the algebraic Dolev-Yao intruder model. The intruder model is introduced un- 
der the state space exploration method based on dynamic strand space model. 
Original strand space model is static, that is, it can not model the dynamic 
procedure of protocol execution. Here, we introduce active node to make it dy- 
namic. The state includes the bundle, during the protocol execution, the strand 
was added to this bundle gradually and at final state, it will indicate a protocol 
execution. The intelligent intruder is composed of knowledge bases, rule bases 
and terms processor, and controls the evolution of bundle. It can decide when 
to generate what terms according to the term space of active node set in a state 
and decide whether or not to initiate a new session with a principal and what 
roles the principal will play based on some rules. By this heuristic method, we 
can get a finite state space without the explicit configuration needed by many 
model checking tools. 
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Abstract. Linear Feedback Shift Registers (LFSR) are important 
building blocks in stream cipher systems. The connection polynomials of 
the LFSRs need to be primitive over GF(2). Also the polynomial should 
have high weight and it should not have sparse multiples of moderate 
degree. Here we provide results which have immediate application in 
synthesis of connection polynomials for stream cipher systems. We 
show that, given any primitive polynomial f{x) of degree d there exists 
2‘^~^ — 1 many distinct trinomial multiples of degree less than 2“* — 1. 
Among these trinomial multiples, it is known that a trinomial of the 
form + 1 contains all the degree d (d even) primitive 

polynomials as its factors. We extend this result by showing that, if di 
(even) divides d (even) and ^ ^ 0 mod (2“^^ — 1), then the trinomial 

2; 3 (2 -1) _|_ 2.3(2 - 1 ) contains all the primitive polynomials of degree 
di as its factor. We also discuss algorithmic issues in getting trinomial 
multiples of low degree. Next we present some results on t-nomial 
multiples of primitive polynomials which help us in choosing primitive 
polynomials that do not have sparse multiples. 

Keywords: Primitive Polynomials, Cyclotomic Cosets, Galois field. 
Stream Cipher. 



1 Introduction 

A standard model of stream cipher [14,15,1] combines the outputs of several 
independent Linear Feedback Shift Register (LFSR) sequences using a nonlinear 
Boolean function to produce the keystream. This keystream is bitwise XORed 
with the message bitstream to produce the cipher. The decryption machinery is 
identical to the encryption machinery. The properties of the nonlinear combining 
Boolean function received a lot of attention in literature for the last two decades 
and it is now possible to get good Boolean functions which are cryptographically 
strong (see [13] and the references in this paper). However, here we will be looking 
into the other building block of such a system, the LFSRs. We concentrate on 
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the problems evolved from the design criteria of the LFSRs in stream cipher 
system. 

The connection polynomial of the LFSRs are the polynomials over GF(2). 
The relationship between this polynomial and the connection pattern of the 
LFSR is explained in [2,1,12]. It is important to note that towards resisting 
cryptanalytic attacks, the LFSRs should be designed keeping the following points 
in mind [11,5]. 

1. The connection polynomial must be primitive over GF(2). 

2. The weight of the connection polynomial must be high. 

3. There should not be any sparse multiple of moderate degree for the connec- 
tion polynomial. 

It is also important to point out that if we use such polynomials with these 
properties, then it is also not possible to cryptanalyse the standard model [14, 
15,1] even with the currently known techniques (see [7] and the references in this 
paper). 

Our motivation in this effort is to find out polynomials with these properties. 
In a recent work [5] , similar problem was posed and it has been shown that for a 
primitive polynomial f{x) of degree d, it may have a trinomial multiple or not, 
i.e., it was not clearly mentioned whether such trinomials will exist or not for 
any primitive polynomial f{x) of degree d. We here completely settle the issue 
by showing that given any primitive polynomial f{x) of degree d there exists 
^ 2 <i-i _ many distinct trinomial multiples. It is known [3] that a trinomial 
of the form -I- 1 contains all the degree d {d even) primitive 

polynomials as its factors. We generalize the result by proving that, if d\ (even) 
divides d (even) and ^ ^ 0 mod (2‘^^ — 1), then the trinomial -i) _|_ 

2 ; 5 ( 2 ‘'-i) _|_ contains all the primitive polynomials of degree di as its factor. We 
also provide some results on finding trinomial multiples of low degree. 

Apart from these results, we identify a large class of primitive polynomials 
of high weight which have sparse multiples at a very low degree. If f{x) is a 
primitive t-nomial of degree d, then there exists a t-nomial multiple of degree sd 
where gcd(s, 2^^ — 1) = 1. As example, we show that there are trinomial multiples 
of degree 3d for a large class of primitive polynomials of degree d. This helps in 
providing a specific design strategy for the primitive polynomials to be used in 
stream cipher systems. 

At this point we also like to mention the problem of finding Zech’s logarithm. 
Given a primitive element a G GF{2'^), we can write 1 -I- a" = Given n, 

calculation of Z{n) is called the problem of finding Zech’s logarithm [10, Page 
91, Volume 1]. This problem [6,4,3] is related to the problem of getting trinomial 
multiples of a primitive polynomial. 

2 Preliminaries 

In this section we make precise certain terms and also present some basic results. 
Most of these concepts are taken from [9,10]. We will denote the field of p ele- 
ments (p is prime) by GF{p) and by GF{p^) we will denote the extention field 
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of dimension d over GF{p). In this paper base field is GF{2) if not otherwise 
stated. 

Definition 1. For every prime p and positive integer d there is exactly one finite 
field (up to isomorphism) of order p^. This field GF{p‘^) is usually referred to as 
the Galois Field of order p‘^, and p is called the characteristics of GF{p‘^). The 
non zero elements ofGF{p‘^) forms a cyclic group under multiplication. So it will 
have a generator a which will generate all the elements ofGF{p^) except zero and 
= 1. For example if p = 2 and d = 4, GF{2‘^) = {0, a^, of . . . , 

Definition 2. A polynomial is irreducible over a field if it is not the product of 
two polynomials of lower degree in the field. For example x'^ + x + 1 is irreducible 
polynomial of degree four over GF{2) but + 1 is not irreducible because 

+ 1 = + X + 1)^. 

Definition 3. An irreducible polynomial of degree d is called primitive polyno- 
mial if its roots are the generator of the field GF{p‘^). It can be proved that there 
are number of primitive polynomials, where f is Euler phi-function. For 

example if p = 2 and d = 4, = 2, i.e., there exists exactly two primitive 

polynomials of degree f over GF(2). 

Euler phi-function is defined for positive integer m by 4>(rn) = s, where s is 
the number of positive integer less than or equal to m that are relatively prime 
to m. For example if m= 15 then 1, 2, f, 1, 8, 11, 13, If are relatively prime to 
15 and so </<(15) = 8. A well known result [10, Chapter f. Page 98] from number 
theory is 4>{m) = ~ where m =p°(^pf^ ■ • -Vtf ■ 

Definition 4. Let f{x) be a polynomial of degree d > 1. with /(O) yf 0 then 
there exists a least positive integer e < p‘^ — 1 such that /(x) divides x® — 1. i.e. 
X® = 1 mod /(x). This e is called exponent/ order of the polynomial and we say 
the polynomial /(x) belongs to exponent e. 

It can be proved that if /(x) is primitive polynomial of degree d then e = 2'^ — 
1. Thus for a primitive polynomial x^+x+1, we have e = 15. However, the result 
is not similar for irreducible polynomials. As example, the irreducible polynomial 
x^ + x^ + x^ + x+1 belongs to exponent 5, since x® = 1 mod (x‘^ + x^ + x^ + x+1). 

Definition 5. The operation of multiplying by p divides the integers mod(p‘^ — 
1) into different sets called cyclotomic cosets mod(p®*— 1). The cyclotomic coset 
containing s consists of {s,ps,p^s, . . . ,p'^‘~^s} where dg is the smallest positive 
integer such that p’^‘ ■ s = s mod (p®* — 1) . Note that dg is called the length of the 
cyclotomic coset mod(p'^ — 1). 

The set of all cyclotomic cosets mod (2® — 1), where p = 2 are as follows. 

Co = {0} Cl = {1,2,4,8,16,32} C 3 = {3, 6, 12, 24, 48, 33} 

Cs = {5, 10,20,40, 17,34} C 7 = {7, 14, 28, 56, 49, 35} C 9 = {9,18, 36} 

Cii = {11,22,44,25,50,37} C 13 = {13,26,52,41,19,38} C 15 = {15,30,60,57,51,39} 
C 21 = {21, 42} C 23 = {23, 46, 29, 58, 53, 43} C 27 = {27, 54, 45} 

C 31 = {31,62,61,59,55,47} 
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Definition 6. Let (3 G GF{p‘^). The minimal polynomial over GF(p) of (3 is the 
lowest degree monic (has leading coefficient 1) polynomial M{x) with coefficient 
from GF(p) s.t. M{(3) = 0. 

Some properties of minimal polynomial are as follows. (1) M{x) is irreducible 
over GF{p). (2) If f{x) be a polynomial with coefficient in GF{p) and /(/3) = 0 
then M{x) \ f{x). (3) M{x) \ x^"^ — x. (4) deg M{x) < d. (5) The minimal 
polynomial of a primitive element of GF{p‘^) has degree d. Such a polynomial is 
called a primitive polynomial. 

Definition 7. A polynomial with t non zero terms, one of them being the con- 
stant term is called t-nomial, or in other words a polynomial of weight t. 

As example, a;'* + a;* + 1 is 3-nomial (trinomial) , and a;'* + a;* + x*" + 1 is a 4-nomial 
or a polynomial of weight 4. Note that, in literature, by a polynomial with sparse 
weight generally means t < 10 [11, Page 160]. 

As we have already discussed, a primitive polynomial can be written in the 
form + OiX*, where G {0, 1}. Let this polynomial is of weight t. When 
we use this polynomial as a connection polynomial of an LFSR, the implemen- 
tation will have (t — 1) taps in the circuit. 



3 Trinomial Results 

In this section we provide results related to trinomial multiples of primitive 
polynomials. 

Theorem 1. Let f{x) he a primitive polynomial of degree d. Then there exists 
a trinomial x'^ x^ 1 which is divisible by f{x). 

Proof. Let f{x) be a primitive polynomial over GF(2) of degree d. Let a be 
a root of it. So a is a primitive element of GF{2‘^). As f{x) is primitive its 
exponent e = 2"^ — 1. Now a* G GF{2'^), for any i, 1 < i < e. So H-a* G GF{2‘^), 
which gives, 1 -I- a* = for some j i,l < j < e. Hence, 1 -I- a* -I- a-’ = 0. Thus, 
a is the root of the trinomial 1 -I- x* -I- x^. As /(x) is the minimal polynomial of 
a, it must divide x* -I- x-^ -I- 1. □ 

Corollary 1. Given a primitive polynomial /(x) of degree d, there will be 
( 2 <i-i _ distinct trinomial (of degree < 2‘^ — 1) multiples of f{x). 

Proof. We consider the trinomials of the form 1 -|- x* -I- x-^ . We need to choose 
the value of i. Now, 1 < i < e = 2*^ — 1. So there are 2*^ — 2 options for i. Now 
for each i, we will get some jf^i, l<j<e such that 1 -I- a* = a-’. Also we can 
interchange the role of i,j. Thus, there are ^ such trinomials. □ 

Note that the way we have found the trinomials here is dependent on the 
primitive polynomial. Thus given the value of i, such that 1-1- a* = , the value 

of j will be fixed depending on the primitive element a, which in turn depends 
on the specific primitive polynomial. However, it is possible that one trinomial 
may have more than one primitive polynomials of same degree as its factors. In 
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fact, we know [3] that for even d, it is possible to get a trinomial which has all 
the primitive polynomials of degree d as its factors. 

First let us discuss a few technical points. We take the prime factorization 
d = Pi^P 2 ^ ...p‘^. The cyclotomic coset of length I containing s consists of 
{s, 2s, 2^s, . . . , 2*“^s} where I is the smallest positive integer such that 2* • s = 
s mod (2"^ — 1). So, s • (2* — 1) = 0 mod (2'* — 1). Now we provide a proof for the 
following folklore result for clarity. 

Proposition 1. Cyclotomic cosets of length I exists iff I divides d. 

Proof. First we prove that if I divides d, then cyclotomic cosets of length I exists. 
Suppose I divides d but a cyclotomic coset of length I does not exist, i.e., there 
does not exist an integer s, 0 < s < 2^^ — 1, satisfying s • (2^ — 1) = 0 mod (2*^ — 1) 
(see Definition 5). This is false as we can get an integer s = satisfying 

s • (2* — 1) = 0 mod (2^^ — 1). Hence we land into a contradiction. Note that, as 
I divides d, we get, 2* — 1 divides 2^^ — 1 [10, Volume 1, Chapter 4, Page 103], 
which gives s is an integer. 

Now we prove the other direction, i.e. if a cyclotomic coset mod(2'^ — 1) of 
length I exists then I must divide d. Let gcd{l, d) = r <1. Then gcd(2* — 1,2'^ — 
1) = 2’’ — 1 [10, Volume 1, Chapter 4, Page 103]. For cyclotomic cosets of length 
I we know s • (2* — 1) = 0 mod (2*^ — 1), where 0 < s < 2^^ — 1. Therefore, 

s ■ = 0 mod Now, as gcd( = 1, s = 0 mod ^|f^, 

i.e. s-(2’’ — 1) = 0 mod (2‘^ — 1). Again, I is the smallest positive integer satisfying 
s • (2* — 1) = 0 mod — 1), so r = 1. Thus, I divides d. □ 

In particular, we can easily find out the number of cyclotomic cosets of prime 
length. The number of cyclotomic cosets of prime length pk is This is 

proved as follows. As pk | d, 2^*“ — 1 | 2^* — 1. Let y = 2 Pk~-i ■ Now, s ■ 2^’= = 
s mod (2"^ — 1). Thus, s ■ (2^’'“ — 1) = 0 mod (2'^ — 1) which gives, s = 0 mod y. As 
gcd(2^’*^ — 1, 2"^ — 1) = 2P'‘ — 1, s will have 2^'“ — 1 solutions mod (2"^ — 1) [8, page 
32] . One solution of s is 0, so number of nonzero solutions are 2^'^ —2. Cyclotomic 
cosets of length pk has pk elements and hence the number of cyclotomic cosets 
of length Pk is 

Next we present the following known result [3]. We also provide a detailed 
proof for clarity. 

Theorem 2. Let f{x) he a primitive polynomial over GF(2) of even degree d. 
Then the trinomial xs(^ -i) + 1 jg divisible by fix). 

Proof. Let + 1 be a trinomial multiple of f{x). We know that [3] (see 

also [5, Theorem 3]) the values i,j belong to same length cyclotomic coset (mod 
(2"^ — 1)). Now we consider the cyclotomic coset of length 2. From the above 
discussion, the number of cyclotomic coset of length 2 is = 1 and the 

cyclotomic coset is {\{2’^ — 1), 1(2^^ — 1)}. 

Let f{x) be a primitive polynomial over GF(2) of degree d. Let a be a root 
of it. So a is a primitive element of GF{2‘^). As f{x) is a primitive polynomial 
its exponent e = 2^^ — 1. Now a* G GF{2‘^), for any i,l < i < e. Here we choose 
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i = 1(2"^ — 1). So, 1 + a* G GF{2'^) which gives 1 + a* = for some j, 1 < J < e 
and j ^ i. So a is the root of the trinomial l + x'^ + xK Since f{x) is the minimal 
polynomial of a, f{x) \ x^ + x^ + 1. Now as the values i,j must belong to [5, 
Theorem 3] same length cyclotomic coset mod {2'^ — 1) and i = \ (2”^ ~ 1)> J must 
be 1(2"^ — 1). Thus f{x) divides xi^“^ + 1. □ 

Note that, this trinomial is not dependent on any specific primitive polyno- 
mial of degree d. So all the primitive polynomials of degree d will divide this 
trinomial. 

Corollary 2. For d even, the trinomial x^^'^ -I- 1 contains all the 

primitive polynomials of degree d as its factors. 

For any d, we are aware about the polynomial x“^ -I- 1 which contains all 

the primitive polynomials of degree d as its factors [9] . Note that for even d, the 
polynomial x^^"^ -I- 1 also has all the primitive polynomials as its 

factors and it is of lower degree than x^ -I- 1. The multiplication of 
many different primitive polynomials of degree d gives total multiplication degree 
0(2'* — 1). So there will be some other polynomials whose multiple will contribute 
the degree |(2'* — 1) — 0(2^* — 1). 

Example 1. The trinomial -I- -|- 1 for d = 8, is x™ + x®® -I- 1. 

When we factorize x™ + x®® -I- 1, we get the following factors of which the first 
16 give the complete list of primitive polynomials of degree 8. 

(1 -I- x^ -I- X® -I- x^ -I- X®), (1 -I- X -I- X® -I- X® -I- X®), (1 -I- x^ -I- X® -I- X® -I- X®), 

( 1 -I- x^ -I- X® -I- X® -I- X®), (1 -I- X -I- x^ -I- X® -I- x^ -I- X® -I- X®), (1 -I- X -I- X® -I- X® -I- X®), 

(1 -I- x^ -I- X® -I- X® -I- X®), (1 -I- X® -I- X® -I- X® -I- X®), (1 -I- x^ -I- X® -I- X® -I- X®), 

(1 -I- X -I- x^ -I- x*’ -I- X®), (1 -I- x^ -I- X® -I- x’^ -I- X®), (1 -I- X® -I- X® -I- x’^ -I- X®), 

(H-x-|-x®-|-x'*'-|-x®), (H-x-|-x^-|-x®-|-x®-|-x’^-|-x®), (H-x-|-x^-|-x®-|-x®-|-x’^-|-x®), 
(1 -I- x^ -I- x"* -I- X® -I- X® -I- x’^ -I- X®), (1 -I- X -I- x^), (1 -I- X -I- x^), (1 -I- X® -I- x^), 
( 1 -I- x'* -I- X® -I- x”*" -I- X®), (1 -I- X -I- X® -I- x^ -I- X®), (1 -I- X -I- x^ -I- X® -I- x^ -I- x*" -I- X®), 
( 1 -I- X -I- x^ -I- X® -I- X® -I- x”*" -I- X®) . 



In the above example we also have an interesting observation. We find that 
apart from the primitive polynomials of degree 8, we also have the exhaustive 
list of primitive polynomials of degree 4 and 2. In this direction we provide the 
following extension of Theorem 2. 

Theorem 3. If d\ (even) divides d (even) and ^ 0 mod (2'*' — 1), then 
the trinomial xs*^^ -I- x3^^ -I- 1 contains all the primitive polynomials of 

degree d\ as its factor. 



Proof. We have di divides d. Hence 2^*1 — 1 divides 2^* — 1. Also both d\,d are 
even and hence 3 divides both — 1 and 2^* — 1. Thus, we get divides 



0 Also we have 2'*^ — 1 does not divide — 



Hence, 



mod (2'*i - 1) i 



IS 



either i(2'*i - 1) or §(2'*i - 1). 

Now consider any primitive polynomial /i(x) of degree c?i. Here, xsl^ -|- 
2;5(2 -1) _|_ mod /i(x) is equal to xs^^ -I- xs^^ -I- 
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1 mod fi{x), as exponent of fi{x) is 2"^^ — 1 [9]. Since, mod — is either 
-1) or 1(2^1 -1), we get mod ( 2 ‘^i-i) + i jj,od 

/i(x) equals to + 1 mod fi{x) which is zero by Theorem 2. 

Thus, we get that any primitive polynomial fi{x) of degree di divides xi^"^ + 

2 ; 5(2 -1) _|_ Hence, all primitive polynomials of degree di divide + 

2;5(2 -1) _|_ □ 

Corollary 3. Let d = 2^ . Then any primitive polynomial of degree di = 2^ , 
0 < j < k will divide + xs*^^ + 1. 

Proof. The proof follows from the above theorem noting that ^ ^ 0 mod 

(2‘*i - 1). □ 

Theorem 2, Theorem 3 and Corollary 2 have been considered only even d only. 
Thus, in this case, given any primitive polynomial we have a specific construction 
of its trinomial multiple. The more general case is when d is either even or odd. 
Consider a prime pk which divides d. Let /(x) be any primitive polynomial over 
GF(2) of degree d. Then there exists a trinomial x* +x^ + 1 which is divisible by 
/(x), where i,j must be selected properly from the cyclotomic cosets of length 
Pk [5] . If pk is small then to get a trinomial multiple of any primitive polynomial 
of degree d we can exhaustively search cyclotomic cosets of length pk only for a 
specific construction. 

3.1 Algorithms to Find Trinomial Multiples 

Next we provide a randomized algorithm to find out trinomial multiples of a 
primitive polynomial. This will work for any primitive polynomial of degree d 
both even or odd. We once again concentrate on Corollary 1. We know that 
given a primitive polynomial /(x) of degree d, there will be (2^~^ — 1) distinct 
trinomial (of degree < 2'^ — 1) multiples of /(x). Now the trinomial multiples will 
have degree from d + 1 to 2^^ — 2. Also it should be noted that given a specific 
degree di, d+1 < di < 2*^ — 2, there will either be no trinomial multiple of degree 
di or there will be only a single trinomial multiple of degree d\. Thus, out of 
(2'^ — 2 — d) different degree positions from d+1 to 2‘^ — 2, we have 2'^“^ — 1 degree 
positions where we have trinomial multiples. Now let us provide the following 
randomized algorithm. 

Algorithm 1. 

1. Choose an integer dr in the range d + 1 to 2^^ — 2 uniformly at random. 

2. For i = Itoi = d^ — 1, consider the trinomials x'^’'+x* + l and check whether 
any one of them is divisible by /(x). If we get a trinomial multiple of /(x), 
then terminate else go to the Step 1. 

End Algorithm 

We have experimentally checked that given a d-degree primitive polynomial 
/(x), it is expected that there will be a lot of trinomial multiples of /(x) close 
to degree 2^^ — 2 (from less than side of 2‘^ — 2) and there are very few trinomial 
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multiples of f{x) close to degree d + 1 (from greater than side of d + 1). Even 
then, if we consider that the degrees of the trinomial multiples are distributed 
uniformly in the range d + 1 to 2^^ — 2, we can say that the probability that 
there exists a trinomial multiple at a (uniformly randomly chosen) degree dr is 
2 d_d -2 ^ 5- Thus, it is expected that Algorithm 1 will have very few iterations 
before termination. 

At this point, it is important to refer a result on 4-nomial multiples of a 
primitive polynomial [11, Page 174]. Given a primitive polynomial f{x) of degree 
d, it is possible to get a 4-nomial multiple f 4 {x) of f{x) of degree less than 
23 having time complexity 0(2 = ) with high probability. The technique uses 
probabilistic results related to birthday attack. The above randomized algorithm, 
we propose here, provides trinomial multiple in small time with high probability. 
The only drawback is that, the degree of the trinomial multiple may be high. 
However, it is important to mention at this point that it may not be possible 
to get trinomial multiples with low degree. As example, consider two primitive 
polynomials x'^^ + x"^ + x“^ + x + l and x'^'^ + x^^ + x^^ + x^^ + x^^ + x'^ + x^ + x^ + 1 
of degree 24. We have checked that they do not have any trinomial multiple upto 
degree 23 = 2 3 = 2®. 

The idea we have so far discussed provides trinomial multiples. However, the 
degree of these trinomial multiples may be very high. We know from [11] that 
if the connection polynomial of a primitive polynomial is of low weight, then 
it is possible to exploit cryptanalytic attacks. In the same direction, it is also 
clear that if there is a primitive polynomial f(x) of degree d with high weight 
which has a moderate degree (> d) trinomial multiple ft(x), then the recurrence 
relation satisfied by f{x) will also be satisfied by ft{x). It is then important 
to find out trinomial multiples of low degree for fast cryptanalytic attacks [11]. 
Hence it is a very important question that given a primitive polynomial f{x) of 
degree d, how can we find the trinomial multiple ft{x) of f{x) with minimum 
possible degree. We next provide a simple algorithm to find the minimum degree 
trinomial of a primitive polynomial. 

Algorithm 2. 

1. for t = d -I- 1 to 2^^ — 2, for j = 1 to i — 1, 

a) Consider the trinomials x'^ + x^ + 1. 

b) If f{x) divides x'^ + x^ + \ then report this trinomial and terminate. 

End Algorithm 

It is important to note that this is an output sensitive algorithm in the sense 
that it will always provide the correct result and the complexity depends on 
the degree of the minimum degree trinomial multiple of f{x). Let us consider 
that for a degree d primitive polynomial f{x), the degree of the minimum degree 
trinomial multiple ft{x) is d/. Then the complexity of Algorithm 2 is 
l)Div{i, d) where Div{i,d) is the complexity of dividing a degree i trinomial 
by a degree d polynomial. It will be of interest to find an algorithm for this 
problem which has the time complexity polynomial in d. Also note that in [5, 
Theorem 1], it has been said that if a degree d primitive polynomial /(x) has 
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any trinomial multiple, then f{x) must have a trinomial multiple with degree 
< Since we have already proved that each primitive polynomial must 

have a trinomial multiple, it is clear that each primitive polynomial must have a 
trinomial multiple with degree < ^ . However, this degree is also very high and 

we have experimentally checked that there are trinomial multiples with degree 
much less that ^ . Hence the bound provided in [5] is not tight. It will be an 

interesting question to get a better bound at lower degree. 

Now we conclude this issue discussing the relationship of our problem to 
the discrete log problem [12]. The discrete log problem can be seen as follows in 
terms of finite fields. Let f3\ be a nonzero element of GF(2‘^) and P 2 be a primitive 
element of this field. Then (3i = /d* for some k. The discrete log problem is to 
find out this fc, given /3i,/32- 

Now we come back to our problem of finding a trinomial multiple of a prim- 
itive polynomial. Let us consider a primitive polynomial f{x) of degree d. Let a 
be a root of f{x). Note that a is a primitive element. Now we need to find out 
some i, j , 1 < i j < 2‘^ — 2 such that 1-1- a* = ■ Now it is very easy to find out 

(3 = 1+a^ in polynomial time in d. Hence, if we can use the discrete log algorithm 
as a subroutine, we can find out the value of j, where f3 = . Since we know 

that the discrete log problem has subexponential time algorithm [12], we can 
solve the problem of finding out a trinomial multiple of a primitive polynomial 
in subexponential time in d. 

The next interesting issue is to decide whether this trimomial multiple prob- 
lem is as hard as discrete log problem. To show this one needs to show that 
the discrete log problem is polynomial time reducible to this trinomial multiple 
problem. This is not yet solved, though we can provide some partial result. Con- 
sider the following version of the discrete log problem, which we call as Vi- Given 
an element j3i G GF{2'^), it is hard to find the value of k, where Pi = {Pi -1-1)^, 
if at all exists. Note that here Pi may not be a primitive element. Now consider 
the following problem 1^2- Given any element 7 G GF{2‘^), how to find out j, if 
at all exists, such that I-I-7 = 7^. We show that Vi is polynomial time reducible 
to P 2 - Let /3i = 1 -I- /3i -I- 1 = 1 -I- /? 2 , where P 2 = Pi + 3 and this step can be 
done in constant time. Now we use the algorithm for problem V 2 to find out the 
value of j, if at all exists, where, \ + P 2 = /?2- This means we can find out j, 
where Pi = {Pi + l)t. This j of problem V 2 gives the value of k in Vi- Hence 
the problem V 2 is at least as hard as Vi . 

Note that in problem V 2 , we have taken 7 as any element of GF(2‘^). For 
the cases where 7 is a primitive element, solution of this problem provides a 
trinomial multiple of the form 1 -|- x -I- to a primitive polynomial f{x). Hence, 
it is also not very clear whether finding out a trinomial multiple of f{x) of the 
form 1 + X + x^ is as hard as discrete log problem. 

4 On t-Nomial Multiples 

Given a primitive polynomial we have considered the issues related to trinomial 
multiples {t = 3) of it. It is also important to discuss the issues on t-nomial 
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multiples when t is low, as example, t = 5, 7, . . . etc. If one can find a t-nomial 
multiple of a primitive polynomial (may be of high weight) , where t is low, then 
the system may get suceptible to cryptanalytic attacks. In this direction we 
provide the following result which is a generalization of [5, Theorem 7]. 

Theorem 4. Let there exists a primitive t-nomial f{x) of degree d. Then there 
exists a degree d primitive polynomial g{x) which divides some t-nomial of degree 
sd (s odd) when gcd{s,2^ — 1) = 1. 

Proof. Let f{x) be a primitive t-nomial of degree d and a be a root of it. Let s 
be an odd integer such that gcd(s, 2^^ — 1) = 1. Let (3 be the s-th root of a, i.e., 
(3“ = a and /3 is a primitive element of GF{2‘^). Note that, minimal polynomial 
g{x) of [3 is primitive polynomial and its degree is d. Now, /(/3®) = f{a) = 0, 
i.e., /3 is a root of /(a:®). On the other hand g{x) is the minimal polynomial of (3. 
Hence g{x) divides /(x®). It is clear to see that /(x®) is t-nomial and its degree is 
sd. Hence we can produce a primitive polynomial g{x) of degree d which divides 
a t-nomial of degree sd. □ 

Note that in the above theorem we have taken s odd as we are working over 
GF(2). If s is even, then we can write s = 2'’si, where si is odd and replace s 
by Si in Theorem 4. 

The importance of Theorem 4 is that there exists a lot of primitive poly- 
nomials of degree d which have sparse multiple at a low degree making them 
susceptible to cryptanaytic attacks. As example, consider a primitive trinomial 
of a; -I- a; -I- 1. Also we have gcd(3,2^ — 1) = 1. Now consider the trinomial 
x^^ -\- x'^ -\- 1. Theorem 4 guarantees that there exists a primitive polynomial of 
degree 7, which divides the trinomial a;^^ -I- a;^ -I- 1. In fact, the primitive poly- 
nomial is a;^ -|- a;® -|- -|- a; -|- 1, which is also of high weight. Hence when we 

are choosing a primitive polynomial of some degree d, even if we go for a high 
weight, it is no way guaranteed that it will not have a sparse multiple of low 
degree sd. 

We now provide the motivation of using the weight distribution of the prim- 
itive polynomials over GF(2). Let us consider the case for primitive polynomials 
with degree d = 23. Note that gcd{3, 2^^ — 1) = 1. Now look into the weight dis- 
tribution of degree 23 polynomials [16]. There are 4 primitive trinomials. Hence 
there must be 4 primitive polynomials of degree 23 which divides trinomials of 
degree 3 * 23 = 69. Similarly, there are 292 primitive 5-nomials of degree 23. 
Thus, there are 292 primitive polynomials of degree 23 which divides 5-nomials 
of degree 3 * 23 = 69. Once again, there are 4552 primitive 7-nomials of degree 
23. This gives that, there are 4552 primitive polynomials of degree 23 which 
divides 7-nomials of degree 3 * 23 = 69. 

This has different implications to the attackers and designers. For the existing 
systems, the attackers may try to find out t-nomial (small t) moderate degree 
multiples of the primitive polynomials which may even be of high weight. On 
the other hand, the designers should check whether the primitive polynomials 
they are using possess any sparse multiple or not. That is, given a degree d, the 
designer should find out the primitive polynomials p{x) of low weight. Then if 
gcd{s,2‘^ — 1) = 1, for some small s, then p(x®) need to be factorized. Clearly 
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from Theorem 4, one of the factors of p(x®), will be a primitive polynomial g{x) 
of degree d, which is different from p(x) . Now, even if g(x) may be of high weight, 
this should not be used in the system. Thus using this idea, one can identify a 
large class of primitive polynomials of high weight which have sparse multiples at 
a moderate degree. These should not be recommended for use in cryptographic 
scheme. The weight distribution table [16] helps a lot in such an analysis. Next we 
discuss an interesting observation towards generation of primitive polynomials. 
We will consider the degree 7 and 8. 

We start with the case for degree 7. Note that gcd{3,2'^ — 1) = 1. Now 
we start from the primitive polynomial fi{x) = x"^ + x + 1. Now we consider 
the polynomial fi{x^) = x^^ + + 1. From Theorem 4, /i(x^) must have 

another primitive polynomial of degree 7 as its factor. We have factorized /i(x^) 
and found primitive polynomial / 2 (x) = + x® + + x + 1 as a factor of 

/i(x^). Similarly / 2 (x^) has a primitive polynomial factor / 3 (x) = x^ + x®+x‘* + 
x^ + x^ + X + 1. If we continue this process, we can exhaust all the 18 primitive 
polynomials of degree 7. This provides a fast technique to exhaust the list of all 
the primitive polynomials of degree 7. 

For degree 8, the scenario is little different. Here we have gcd{7, 2® — 1) = 1. 
If we start from gi (x) = x® + x"* + x^ + x^ + 1 and factorize gi (x"^) , we will get 
the primitive polynomial x® + x® + x^ + x® + x^ + x + 1. In this way we will 
get a cycle which exhausts 8 primitive polynomials. On the other hand if we 
start with hi{x) = x® + x® + x® + x + 1 and factorize /ii(x^), this will provide 
X® + X® + X® + X + 1 . This will again move in a cycle to exhaust the remaining 
8 primitive polynomials of degree 8. 

Hence, one may choose a primitive polynomial /(x) of certain degree d and 
find out the smallest s satisfying gcd{s,2'^ — 1) = 1. Then factorization of /(x®) 
will provide another primitive polynomial of degree d. Now we can generate the 
complete list of polynomials over GF(2) of low weight t (say 3 or 5) and then 
check for primitivity of each of these. This will take ( jZij) primitivity testing. 
Hence it is easy to find the initial primitive polynomial and then we can use 
the above method for finding out primitive polynomial of high weight with the 
constraint that its multiple at degree sd will also have high weight. This kind of 
technique will help in providing cryptographically strong primitive polynomials. 

We have already discussed that given a primitive polynomial /(x) of degree 
d, we can construct /(x®) and then factorizing this, we will get another primitive 
polynomial g{x) of same degree d, where gcd{s, 2^^— 1) = 1. In the other direction, 
given g{x) we can generate g(x® , where ss' = I mod (2^^ — I) and (/(x® will 
generate /(x) as its factor. 

This has an important implication in choosing a proper connection polyno- 
mial. This will at least help in discarding some possibilities of getting a sparse 
multiple at low degree. Suppose we have chosen a primitive polynomial g{x) 
with high weight. We choose some small values of s, such that gcd{s, 2'^ — 1) = 1. 
Then it is possible to calculate s' where ss' = 1 mod (2^^ — 1). Next we factorize 
5 (x® ), which will generate some primitive polynomial /(x) as its factor. If /(x) 
is of low weight, then /(x®) is also of the same low weight, which is a sparse 
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multiple of g{x). Thus, the designer should use this technique to discard some 
possibility of existence of a sparse multiple in this way. 
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Abstract. This paper investigates oblivious transfer protocol based 
on privacy amplification that uses Renyi entropy of order a for any 
1 < a < 2, the conditions under which the protocol is secure are given. 
In protocol it makes no assumptions about receiver’s computing power, 
so under the given conditions the protocol is unconditionally-secure. 

Keywords: Oblivious transfer, Renyi entropy, Privacy amplification, 
Unconditionally-secure. 



1 Introduction 

Oblivious transfer is an important primitive in modern cryptography, and has 
become the basis for realizing a broad class of cryptographic protocols, such as bit 
commitment, zero-knowledge proofs, and general secure multiparty computation. 
Oblivious transfer can be divided into five classes: 

OT : Alice sends a bit b and Bob receives either nothing or b, both with 
probability 1/2, but Alice does not learn which one [1]. 

^ — OT : It is chosen one-out-of-two OT, where Alice has two input &o 

and bi, Bob chooses c and obtains be, but Alice does not learn c [2]. 

^ — OT^ : It is string OT, where Alice has two fc-bit input strings wq 

and Wi, Bob chooses c and obtains be, but Alice does not learn c [2]. 

GOT: It is generalized OT, where Alice has input bits bo and bi, Bob 
chooses any function / : {0, 1}^— 1-{0, 1} and obtains f {bo, bi), but Alice does 
not learn / [3]. 

UOT: It is universal OT, where Alice sends a random variable X with al- 
phabet X and Bob obtains a random variable Y . Bob can secretly specify the 
distributions Py\x=x for all x G X such that Y does not give Bob complete 
information about X (If not stated otherwise, random variables are always de- 
noted by capital letters and the alphabet of a random variable is denoted by the 
corresponding script letter) [4] . 

* This research was supported by the China National Science Foundation, grant no. 
69972034, Foundation of National Laboratory For Secure Communications, grant 
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In [2], 



— OT'^ was reduced to 



— OT by using particular types 



- OT^ and 



of error-correcting codes called self-intersecting codes. In [5], 

GOT were reduced to ~ based on privacy amplification with Renyi 

entropy of order two. In [4], f ~ OT^ was reduced to UOT based on privacy 



amplification with min-entropy, and its security was proven by using the side- 
information called spoiling knowledge, this type of side-information will increase 
Bob’s Renyi entropy of Alice’s input. However, to obtain more knowledge about 
what was sent by Alice, it is desired for Bob to decrease the Renyi entropy of 
Alice’s input. 

In this paper, we utilize the protocol same as the one in [4,5] to reduce f ^ ~ 



OT^ to UOT, but we use privacy amplification with Renyi entropy of order a for 
any a between 1 and 2. Privacy amplification, for short, is a process that allows 
two parties to distill a secret key from common information about which an 
adversary has partial knowledge. The two parties do not know anything about 
the adversary’s knowledge except that it satisfies a general bound. By using 
a publicly chosen compression function, they are nevertheless able to extract 
a short key from their common information such that the total knowledge of 
adversary about the key is arbitrarily small. 

In [7,8], it was shown that the privacy amplification with Renyi entropy of 
order a for 1 < a < 2 is better than those with Renyi entropy of order 2 and 
min-entropy, and in our oblivious transfer protocol, we prove its security not 
using side-information of spoiling knowledge . 



2 Preliminaries 

Definition 1 [7, 8, 9]. Let A be a random variable with alphabet X and distri- 
bution Px, the Renyi entropy of order a of A is Ha (A) = log ^ Px 

for a > 0 and a yf 1. 

When a = 2, H 2 (A) = — log ^ Px Because the limiting case of Renyi 
entropy for a — >■ 1 is Shannon entropy, we can extend the definition to 

77i (A) = H{X) = ~Y,Px (x) log Px (x) . 

x£X 

Definition2 [7,8,9]. The relative entropy between two probability distri- 
butions Px,Py with the same alphabet X is defined as D{Px\\Py) = 

x^X 

If Py is uniform distribution over X , D {Px \\Py ) = log \X\ — H (A). 
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Definition 3 [7,8,9]. Let M be a nonuniformity measure and let Z\ : TZ ^ TZ 
be a decreasing non-negative function. A random X with alphabet X has smooth 
entropy 'f' (A) within Z\ (s) [in terms of M ] with probability 1 — e if (A) is 
the maximum of all ip such that for any security parameter s > 0, there exist 
a random variable T and a function f : X x r ^ y with |3^| = such 

that there is a failure event £ that has probability at most s and the expected 
value over T of the nonuniformity M of Y = f (A, T), given T and £, is at most 
Z\ (s). Formally, 

If (A) = max {i^\\/s > 0 : 3T, f : X X r ^ y, \y\ = [2’^""] : 

A = / (A, T) , 3 £:P[ £ ] < e, M(Y\T £)<A (s)}. 

Theorem 1 [7,8,9]. Fix X,t > 0, let m be an integer such that m — 
log (m 3- 1) > log I A I + t, and s be the security parameter for smooth entropy. 
For any 1 < a < 2, the smooth entropy of a random variable A within in 
terms of relative entropy with probability 1 — 2~^ — 2“* is lower bounded by 
Renyi entropy of order a in the sense that 

IF (A) > (A) - log {m+1) - t - 2. 

a — I 

Definition 4 [10]. A class T of functions: A ^ B is called Universal 2 
(or simply Universal) if, for Va:i,a ;2 G A with xi yf X 2 , the probability that 
f (xi) = f (x 2 ) is at most f/\B\, when / is chosen from T according to the 
uniform distribution. 

Theorem 2 [7,8]. Let a, r,t, 'rn,s are the same as Theoreml, V summarizes 
Eve’s total knowledge about W and u be a particular value of V observed by 
Eve; Alice and Bob select K = G{W) as their secret key, where G is chosen at 
random from a universal class of hash functions W — >■ {0, 1}^, then 

k < Ha {W \ V = v) — log (to 3- 1) t — 2 — s 

a — 1 

with probability 1 — 2“’’ — 2“*, and Eve’s information about K< 

Proof. It is easy to see that |/C| = \ 2 ^(w\v=v)-, ^ < 2 AW\v=v)-s ^ ^ ^ |^| < 

Ip {W \ V = u) — sby the definition of smooth entropy . 

Take k < Ha (W \V = v) — log (to 3- 1) — — t — 2 — s, which will meet 

the definition of smooth entropy (with the probability 1 — 2“’’ — 2“*). 

Applying theoreml and the definition of relative entropy shows that 

H (A) = log I A| - D {Px \\Pu ) > log |A| - ^ 

Thus, H {K \G,V = v) > log |A| — = k — which is equivalent to the 

inequality that Eve’s information about K< 
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3 The Oblivious Transfer Protocol 



In the section, we implement a reduction of ~ OT^(wq,wi){c) to 

UOT (X,Y), such that X = {0, 1}^", where wq and w\ are two fc-bit strings 
chosen by Alice, c is chosen by Bob such that it is not known by Alice. 



Stepl: Let X = XqXi, where Xq and Xi both are random binary strings of 
length n and chosen by Alice according to the uniform distribution, X is 
the concatenation of Xq and Xi. 

Step2: Alice and Bob run UOT (X,Y), where Bob secretly chosen Py\x=x for 
X G X to obtain Y = Xc- 

Step3: Alice chooses independently two members Gq,Gi from a class universal 
hash functions mapping n-bit strings to fc-bit strings and announces them 
to Bob. 

Step4: Alice computes Mq = Gq (Aq) ,Mi = Gi (Ai). She encodes wq and wi 
as Zq = Mq © Wq and Zi = Mi © wi and sends Zq and Zi to Bob. 

Step5: Bob computes Wc as Wc = Gc (A) © Zc- 



It can be obtained by the definition of the UOT (A, Y) in step2, the protocol 
is perfectly private for Bob ( Alice learns nothing about Bob’s choice) . That the 
protocol is private for Alice means Bob can not learn information on both wq 
and Wi except perhaps with negligible probability, in addition. Bob must not 
be able to obtain joint information on wq and rci except for what follows from 
his a priori knowledge and his learning one of the two strings. From step4, Alice 
encrypts wq and wi using Mq and Mi as one-time pads, so the security of Alice 
depends on Mq and Mi, further depends on A. Because the length k of wq and 
Wi is constant, if both the length of A is too short and A’s Renyi entropy of 
order a conditioned Y is too small, the information leaked by Alice to Bob in 
step4 will be very large, therefore it can not assure Alice the system safe. 

Below, we will deduce the length of A and the minimum of A’s Renyi entropy 
of order a conditioned Y. 

To compare Ha (Aq \ Y = y) and Ha (Ai \Y = y, Aq = xq), we need the 
lemma below: 



Lemma 1. For any Ai-tuple (A, 12, • • • , ivi), where 1 < A < 12 < • • • < iVi < 
N, let S be R's sub-string , Ri ^ , • • • , Ri ^^^ ) , then we get 



Ha (S) > Ha (R) - (A - Ni) 

Proof. For fixed string s = ■ ■ ■ ,Vi^ R have exactly strings 

(^ 1 A 2 ) • • • 5 I’m) corresponding to it. Let pi,P 2 , ■ ■ ■ ,P 2 "-'^i &re the probabilities 

2N-N1 

of these strings, and po = Ps (s) = X! Pi- 

2=1 
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Then we have 

2N-N-1 



2«-«i / ^ a-1 

Pt 



E p?=pr^ E £ p^^p'^ 



2=1 



2 = 1 
Po 



Po 



^oc— 1 



1 



0 I 



.-12^-^1 

E p^ 



2(N-N^)(a-l) ’ 

J 2 P? 



2 iv —i\i 



2=1 



Thus, 



2 iv —i\i 

Ps (s)“ = E ^ Y. p° 

SG{0,1}^1 SG{0,1}^1 SG{0,1}^1 

2N-NI 

— 2(-^— 1 ) 2 -^! ^ ^ 

2=1 

^ ^ PRir)^, 

rG{0,l}" 

log E f’s(s)“ < (lV-7Vi)(a-l)-blog Y Pr{‘^T 

sG{0,l}"i rG{0,l}'^ 

Divided by 1 — a we obtain: Ha (S) > Ha {R) — {N — Ni). 



Corollary. Let X = XqXi, where Xq and Xi be two n-bit binary strings, then 
Ha{Xo\Y = y)>Ha{X\Y = y)- n. 

Lemma 2 [9]. Let 1 < a < 2 and let r,t > 0. For arbitrary random variable X 
and Y, the probability that Y takes y for which 

Ha{X\Y = y)>Ha (XY) - log |3^| - - t 

a — I 

is at least 1 — 2“’’ — 2“L 

By lemma2, we have Ha{Xi\Y = y,Xo = x) > Ha{XoXi\Y = y) — 
log|To|- = iLa (-’f = y)-n- take Ha {Xi \ Y = y,Xo = xq) 

as minimum, that is 

Ha{X,\Y = y,Xo = x) = Ha{X\Y = y)-n - 

a — 1 

the inequality Ha (-^0 \ Y = y) > Ha (-^1 \Y = y, Xq = xq) holds with proba- 
bility at least 1 — 2“’’ — 2“*. So, for the protocol safe, among twice privacy 
amplification, it is only need to consider the second privacy amplification, that 
is, utilizing Ha (^1 \ Y = y,XQ = xq) to universal hash function Gi. 
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Theorem 3. Let 1 < a < 2, r > 1, t > 1, m is an integer such that m — 
log (m +1) > n + t, and s > 0 is the security parameter for smooth entropy. Let 
X = XqXi be the concatenation of two n-bit binary strings Xq and Xi. Then 
when 



n> k + log (m + 1) + 



2r 

a — 1 



-t“ 2t -t“ 2 -t“ s 



H^{X\Y = y)>2 



k + log (m + 1) + 



2r 

a — 1 



2t -t“ 2 -t“ s 



the protocol 




OT*^{wo,Wi){c) can safely be reduced to a single execution 



of UOT {X, Y) with the probability at least 1 — 2 — 2 

Proof. By theorem2, k < Ha {Xi \Y = y, Xq = xq) — log (m + 1) — — t — 

2 — s, therefore 



Ha (^1 



y,XQ = xo) > k + log (to + 1) + 







( 1 ) 



that is 

Ha{X\Y = y) -n t > A; + log (m + 1) H ^ t + 2 + s (2) 

a — I a — I 

so 

27* 

Uq, \ Y = ^ n k log (jn H- 1 ) H- — \- 2t -\- 2 -\- s (3) 

a — I 



Again because 2n > {X \Y = y ), therefore 2n> n-\-k-\- log (m + 1) + + 

2A + 2 + s, that is 

2/* 

n> k + log (to + 1) H + 2t + 2 + s (4) 



so 



Ha{X\Y = y)>2 



k + log (to + 1) + 



2r 

a — 1 



“t“ 2t -t“ 2 -t“ s 



From theorem2 and inequality (1), after obtaining Xq ( further Wq), the 
information about Xi ( further about Wi) obtained by Bob is 



I(X,,XoY)<Y (5) 

with the probability at least 1 — 2“'’ — 2~*. 

Because both inequalities (1) and (2) hold with probability at least 1 — 2“’’ — 
2“*, the process above does not hold with probability at most 1— (1 — 2“’’ — 2“*)- 
(1 - 2 -'’ - 2 "‘) < 2 "’'+! + 2 ~*+\ 
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4 Conclusion 

For oblivious transfer protocol of two fc-bit binary strings based on privacy am- 
plification with Renyi entropy of order a for any a between 1 and 2, so long as 
the length and conditional Renyi entropy ( conditioned information about the 
sender’s input obtained by the receiver) of the sender’s input to privacy ampli- 
fication are respectively larger than two constant depended on k , the receiver 
obtains one of two fc-bit strings, he will obtain arbitrary small information about 
another fc-bit string with some probability. In protocol it makes no assumptions 
about receiver’s computing power, so under the given conditions the protocol is 
unconditionally-secure. 
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Abstract. Fan and Lei proposed an user efficient blind signature 
scheme based on quadratic residues. The main merit of this scheme is 
that only a few number of arithmetic modular operations are required for 
a user to get a legal signature. Therefore, it is very suitable for commerce 
applications. However, Shao pointed out that this scheme did not achieve 
the unlinkability property. Furthermore, he also proposed an improved 
blind signature scheme to remedy this weakness and reduce the com- 
putations for requests. In this article, we presents a linking strategy to 
show that this improved version is also not a true blind signature scheme. 

Keywords: Blind signature, cryptography 



1 Introduction 

Some public key cryptosystems, such as RSA, Rabin[3] and so on, can be used to 
sign digital signatures. Without the private key, no one can forge a legal signa- 
ture. Therefore, digital signatures are widely used to prove the integrity of data 
and the identity of signee. However, in some applications, such as electronic cash 
systems or anonymous electronic voting systems, in order to protect the privacy 
of users, the anonymity property is necessary. Hence, in 1982, David Chaum 
invented a blind signature scheme [1], which not only achieves the unforgeabil- 
ity property but also achieves the unlinkability property. The protocol is briefly 
described as below. When a requester sends a blind message to request his sig- 
nature from the signee, the signee signs the blind message and sends the result 
to the requester. Then, the requester can obtain the signature of the chosen 
message from performing the unblinding function. The signature can be verified, 
but the signee can not link the relationship between the blind message and the 
signature of the chosen message. A secure blind signature scheme must satisfy 
the unforgeability property and the unlinkability property. 

Generally, users have less computation capacities than the signee in most 
applications of blind signatures. For example, in an electronic cash system, the 
bank always acts as the signee and the customers always act as the requesters. 
Therefore, in 1998, Fan and Lei proposed a blind signature scheme for user 
efficiency [2], and its security is completely based on quadratic residues (QR). 
The characteristic of this scheme is low computations for users. User only requires 
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a few number of arithmetic modular computations to obtain a legal signature. 
Therefore, it is more suitable for many commerce applications, such as mobil 
communications or smart card implementations. 

However, Shao [4] showed that Fan and Lei’s blind signature scheme is not 
really “blind”. Signee can trace the identity of the user while the user reveals 
the signature in transactions. Therefore, the scheme can not protect the user’s 
privacy. Moreover, Shao proposed an improved scheme to remedy the weakness 
and reduce the computation overheads for users or requesters. In this paper, 
we show that Shao’s method is also not a true blind signature scheme. Signee 
can derive some secret parameters and then link the relationship between the 
signature and the requester’s identity. 

The rest of this paper is organized as follows. In Section 2, we shall briefly 
review Shao’s scheme. Then we shall show that it is not really blind in Section 
3. Finally, some conclusions are made in the last section. 

2 Overview of Shao’s Improved User Efficient Blind 
Signatnre Scheme 

Shao proposed an improved version of Fan and Lei’s user efficient blind signature 
scheme [2]. The improved scheme is more efficient than Fan and Lei’s, it performs 
12 modular multiplications, selects two random integers, and requests two data 
transmissions between the signee and the requester, while the corresponding 
numbers are 14, 3, and 4 in Fan and Lei’s scheme. We briefly introduce Shao’s 
scheme [4] as below. 

In Shao’s scheme, there are two kinds of participants, a signee and a group 
of requesters. Requesters request the blind signatures from the signee, and the 
signee issues the blind signatures to the requesters. In addition, the scheme 
can be divided into four phases: (1) the initialization phase, (2) the requesting 
phase, (3) the signing phase, and (4) the extraction phase. In the initialization 
phase, the signee sets up and publishes some necessary information. In the 
requesting phase, the requester delivers some encrypted message to request a 
blind signature from the signee. The signee computes the blind signature and 
sends it back to the requester. From the received message, the requester can 
extract the signature in the extraction phase. The processes of the four phases 
are itemized as follows. 

The Initialization Phase 

The signee computes n = pq, where p, q are two large primes, and p = q = 3 
{mod 4). Furthermore, let H he & one-way hash function. The signee keeps p 
and q secret, and publishes n and H. 

The Requesting Phase 

To obtain a signature of the message m, the requester randomly chooses two 
integers u and b, such that 

a = b‘^H{m){u^ + 1) mod n. 

Then the requester delivers a to the signee. 



( 1 ) 
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The Signing Phase 

While receiving a, the signee randomly chooses an integer x. Because the signee 
knows the factors p and q of n, and a{x^ + 1) mod n is a QR in Zn*, therefore, 
the signee has the ability to derive t from 

= a{x'^ + 1) mod n. (2) 

Then, the signee delivers the pair (t, x) to the requester. 

The Extraction Phase 

After receiving (t, x), the requester computes 

c = {ux — l){x + u)~^ mod n, and (3) 

s = bt{x + u) mod n. (4) 

The pair (c, s) is a signature of m. To verify the validity of (c, s) of m, the 
verifier checks whether or not the following equation holds, 

H{m)s^{(?' + 1) = 1 mod p. (5) 

In the following, we prove that Equation (5) always holds while the signature 
(c, s) is correct. 

According to Equation (2), we get 

t^a{x'^ + 1) = = 1 mod n. (6) 



Hence, we have 

H{m)s^{(? + 1) 

= + 1 ) 

^ x + u' ’ 

= t^a{x'^ + 1) = 1 (mod n). 

3 The Weakness of Shao’s Improved User Efficient Blind 
Signatnre Scheme 

In this section, we show that the signatures can be traced by the signee in Shao’s 
scheme. Therefore, this scheme does not really achieve unlinkability property. We 
consider the follow scenario. 

1. Let Rli be the requester f’s identity. The signee keeps a set of records S = 
{{Rli, h, Xi)\i = 1, 2, • • • , 2 ;} for z instances of the blind signed messages. 
Furthermore, the signee obtains the signature c, s) of the message 

m when it is revealed by a requester. 
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2. With c and s, the signee computes 

cs = (ux — l)bt mod n. (7) 

Then, the signee takes out t from some tuples in the set S and computes 

cst~^ = {ux — l)b mod n, and (8) 

{cst~^)‘^ = {ux — 1)^6^ (9) 

= {u‘^x‘^ — 2ux + l)b^ 

= u'^b^x^ + 6^ — 2uxb‘^ (mod n). 

3. Since 

a = b^H{m){u'^ + 1) mod n, 
the signee can compute 

aH~^{m) = b^{u^ + 1) = b^u^ + b^ (mod n). (10) 

4. Now, in the signing phase, if the signee chooses a; = 1 for some requesters 
on purpose, then Equation (9) can be rewritten as 

{cst~^)^ = u^b^ + b"^ — 2ub^ mod n. (11) 

From Equations (10) and (11), the signee can derive 

{cst~^Y = C(H~^{m) — 2ub^ mod n. 

Therefore, 

2ub'^ = aH~^{m) — {cst~^)^ mod n. 

That is, 

■u6^ = 2“^(ai7“^(m) — (cst“^)^) mod n. (12) 

5. From Equation (4), since s = tb + tub mod n, we have 

sb = tb"^ + tub"^ mod n. (13) 

To replace ub"^ with 2“^(ai7“^(m) — (cst“^)^) from Equation (12), Equation 
(13) becomes 

sb = tb"^ + t{2~^ {aH~^ {m) — {cst~^Y)) mod n. (14) 

Since tb^ — sb = —t{2~^{aH~^{m)) — (cs<“^)^) mod n, we have 
6^ — st~^b = —{2~^{aH~^{m)) — (cst“^)^) mod n. 

Therefore, the signee can derive 

b{b — st~^) = {cst~^)^ — 2~^aH~^{m) mod n. 



(15) 
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6. The improved blind signature scheme is based on the theory of quadratic 
residues. The security of this scheme is based on the difficulty of finding the 
square roots modulo a composite number. According to Rabin’s public key 
cryptosystem [3], to encrypt the message M, the encryption function is 

E{M) = C = M{M + a) mod n, (16) 

where C is the corresponding ciphertext and a and n are made public. The 
decryption function is 



D{C) = M= ± V(a/2)2 + c 

or :^±V(a/2)2 + C 



mod p 
mod q. 



(17) 

(18) 



Without knowing the factors p and q of the modulus n, it is infeasible to 
compute the square root M from the given messages a and C. Recall the 
computation of the square root b from Equation (15). Since the signee knows 
the factors p and q of n, st~^ mod n, and — 2~^ aH~^ (m) mod n, the 

parameter b in Equation (15) can be easily computed from the decryption 
function of Rabin’s public key cryptosystem. 

7. Since b can be obtained, therefore the signee can compute u from Equation 
(12). Further, the signee can compute c' and s' from Equations (3) and (4). 
If (c', s') is equal to the received signature (c, s), then the signee can get 
the identity of the requester from some record in the set S. 



Obviously, by the blind signature {H{M), c, s), the signee can make a linkage 
between it and the identity of the requester. Therefore, the scheme does not 
achieve the unlinkability property. 



4 Conclusions 

Shao’s scheme is designed to be more efficient for users. Therefore, the scheme 
is suitable for many applications that users have low computation capabilities. 
However, Shao’s scheme is not a true blind signature. In this article, we have 
presented a link strategy to show that Shao’s blind signature scheme is not really 
“blind”. 
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Abstract. A group signature scheme allows the group member to sign messages 
on behalf of a group. In 1996, Kim et al. proposed a new type of group signature, 
called “convertible group signature". Recently, Saeednia pointed out that there 
are weaknesses in a convertible group signature scheme proposed by Kim 
et al. Furthermore, Saeednia proposed a modified scheme to eliminate these 
weaknesses. In this paper, we show that there is a way to forge a group signature 
even if adopting Saeednia’s modified scheme. 

Keywords: Cryptography, convertible group signature, cryptanalysis 



1 Introduction 

In 1991, Chaum and Heyst [1] proposed the notion of group signature, which allows 
a group member to make a digital signature on behalf of the group. A group signature 
scheme has the following three characteristics: 

1 . Only the group member can make signatures. 

2. Everybody can be a verifier to certify the validity of a group signature, but cannot 
discover who made it. 

3. If necessary, all the group members together or the group center can find out who 
signed a specific message. 

Kim et al. [2] proposed a new type of group signature, called “convertible group 
signature". In addition to the above characteristics, a convertible group signature can be 
verified without the help of group members or a trusted authority. In Kim et al. ’s scheme, 
the group member’s secret key consists of two integers, one is chosen by the member 
himself and the other is calculated by the group center. The integer chosen by the group 
member keeps secret from the group center, because it is protected by adopting a one- 
way function. The group center uses his secret key to compute another secret key for 
the group member. According to the above mechanism, Kim et al. argued that the group 
member can sign messages on behalf of the group and the signatures can be verified 
without the cooperation of the group member or the group center. Kim et al.’s scheme is 
secure if it is difficult to construct a valid secret key without knowing the group center’s 
secret. 

In 2000, Saeednia [3] pointed out that Kim et al. ’s scheme allows an adversary to forge 
a signature on behalf of the group if some conditions are met. In other words, without 
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losing the group center’s secret, an adversary has the capability to forge a signature if the 
group’s public key satisfies a particular condition. Moreover, Saeednia also proposed a 
modified scheme to eliminate these weaknesses. Briefly, Saeednia uses a mechanism to 
make sure that the group’s public key does not satisfy this particular condition. 

In this paper, we show that even if Saeednia’s modified scheme is adopted, a group 
member still has the capability to forge a signature on behalf of the group. In Section 
2, we review Kim et al.’s scheme, Saeednia’s attacks as well as his modified scheme. 
In Section 3, we propose an approach to forge a signature without knowing the group 
center’s secret. Finally, Section 4 states the conclusions of our work. 

2 Previous Work 

2.1 Kim et al.’s Group Signature Scheme 

There are four stages in Kim et al.’s [2] convertible group signature scheme: Initialization, 
key generation, signature generation, and signature verification. We review these stages 
as follows: 

Initialization. The group center is referred to below as GC. First, GC chooses three prime 
numbers p', g', and /. Here another two prime numbers p and q have to be formed, such 
that p = 2/p' + 1 and q = 2fq' + 1. An integer n is defined as the product of p and q. 
Next, GC chooses an integer g of order / modulo n, i.e., = I (mod n) . Furthermore, 

GC chooses an integer 7, such that (y,p — 1) = 1 and (7, g — 1) = 1. Afterward GC 
computes its secret key d, such that 7 • d = 1 (mod (p{n)). Finally, n, /, g, and 7 are 
made public, and then p and g are discarded. 

Key generation. In this stage, a group member A registers his secret key to GC. Afterward, 
A has capability to sign a message M on behalf of the group IDq. Here IDg denotes 
the group identity and represents the public key of the group. 

A chooses a random integer G Zy as a part of his secret key and sends (IDq, 
mod n) to GC. Then GC computes 

XA = (IDg • (modn), 

and sends xa to A secretly. Finally, A’s secret key is the pair (sa, xa)- Although GC 
does not know sa, he can identify the signer by xa and g^^ . 

Signature generation. For a message M, a group member A computes the triple (e, zi, Z 2 ) 
as IDg ’s signature. First, A chooses two random integers ri , r 2 G Zf, and the signature 
is computed as follows: 



e = h(V, M), where 
V = g^^r] (mod n), 

Zi = n + SA-e (mod/), 
and Z 2 = X 2 ■ x\ (mod n) . 



Here h{) denotes a publicly known one-way hash function. 
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Signature verification. To make sure (e, zi,Z 2 ) is the group IDg’s signature for M, the 
verifier computes 



F=(IDg)V 2^ (modn). 

If the equation e = h{V,M) is satisfied, the verifier concludes that (e, 2:1, Z2) is a 
valid signature for M. 

2.2 Saeednia’s Attacks and His Solutions 

Saeednia [3] pointed out that there are two possible ways to forge a signature in Kim et 
al.’s scheme. Furthermore, Saeednia proposed some solutions for these weaknesses. In 
this paper, we only focus on Saeednia’s first attack and its solution, because his second 
attack is relatively negligible if his first solution still has weaknesses. Saeednia’s first 
attack is successful if IDg G T . Here T denotes the set of the integers that their order 
is 2, /, or 2/ modulo n. That is to say, IDg^^ = 1 (mod n). 

If IDg G one can obtain another usable GC’s secret key d', such that 7 • d' = 1 
(mod 2/). Because (7,p — 1) = 1 and (7, q — 1) = 1, 7 is also relatively prime to 2/. 
Thus, for any k & T, = k (mod n) is true. Obviously, if IDg G one can obtain 
a valid secret key (sj,Xj), such that Xj = (IDg • (mod n). Here Sj &Zf is an 

arbitrarily chosen integer. Afterward, an adversary can forge a signature for any message 
M on behalf of the group IDg by introducing the secret key (sj,Xj). 

To eliminate the above mentioned weakness, Saeednia suggested to reform the group 
identity IDg as Ig = h( J||IDg) such as Ig ^ Here J represents an arbitrary k-hit 
integer. And the group member’s secret key is computed by Xi = (Ig -5*0”^ (mod n) . 
In the verification stage, the verifier first checks whether /i( J||IDg)^-^ 1 (mod n). If 

so, the verifier believes that the signer is authenticated by GC. The rest of the verification 
procedure remains unchanged, except that the verifier uses Ig rather than IDg- 

3 To Forge a Group Signature 

In this section, we present a way which allows a group member to forge a valid secret 
key without knowing GC’s secret as well as IDq ^ T. 

We describe the way to generate a valid secret key by a group member A as follows: 

Step 1. A selects a random number si G Zy, and then sends (IDg, 9*^ mod n) to 
GC. Afterward, A obtains a secret key xa^ from GC, where a; is computed 
by 

a:,4i = (IDg • (modn). (I) 

Step 2. A selects another random number S2 G Z/, such that S2 = — si (mod /), 
and then sends (IDg, 5®^ mod n) to GC. Similarly, A obtains the second 
secret key from GC, where is computed by 

x^2 = (IDg • (mod n). 



( 2 ) 
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Step 3. Again, A selects a random number S3 G Z/, such that S3 ^ si ands3 ^ S2, 
and then sends (IDg, 5'®'* mod n) to GC. Afterward, A obtains the third 
secret key xa^ from GC such as 

XAi = (IDg • (mod n). (3) 

Finally, A obtains a valid secret key (s'a,x'a), where x'a = x^^ ■ x\^ 

(mod n)ands^ = Si+2s3 (mod /),i.e.,x^J-a;^^ = (IDg • ^ 

(mod n). 

Proposition 1 . If S2 = — si (mod /) and S3 does not equal to si nor S2, then 
xf,l ■ xX = (IDg • (mod n) 

holds. Here XAi = (IDg ’ (mod n) and Si G Zj^. 

Proof Compute the product of Equations (1) and (2) as follows: 

XA^ ■ XA^ = (IDg • • (IDg • (mod n) 

= (IDg^ • (mod n) 

= (IDg^ ■ g°) (mod n) 

= (IDg^)”'^ (modn). (4) 

Next, compute ((IDg^)“^) ■ {xa^ ■ XA 2 ) (mod n) as follows: 

((IDg^)-')”'' • (a:Ai • = ((IDg")"')”^ • (IDg')”'' (mod n), 

((IDg^)“^) ■ {xAi ■ XA 2 ) = ^ (modn). 

Thus, we have the following equation: 

((IDg^)“^) '^ = {xAi ■ xa 2 )~^ (modn). (5) 

The result of Equation (1) multiplied by the square of Equation (3) is 

XAi ■ XAs ■ XAs = (IDg • • (IDg • 5®®)”'^ • (IDg • 5®®)~‘^ (mod n), 

• x\^ = (IDg^ • (mod n). (6) 

Finally, compute the product of Equations (5) and (6), and then we have Equation 
(7) as follows: 

(xAi • x^3)(a:^i • 3:^2 )”^ = (IDg^ • ff®®“^^®®) "^((IDg^)“^) (modn). 
That is, = (IDg • 5®®''’^®®) (modn). (7) 

□ 
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According to Proposition 1, Kim et al.’s scheme allows a group member A to obtain 
a valid secret key (s^, such that ■ x\^ (mod n) and = si + 2 s 3 

(mod /). Note that x'j^ is not generated by GC, so GC cannot exactly identify who has 
signed the messages from the signatures that were generated using (s(^, Therefore, 
A has the capability to forge a group signature for any message M on behalf of the group 
IDg and he has no responsibility for this signature. In particular, no matter IDq ^ T, the 
above mechanism is still workable. Therefore, in spite of Saeednia’s scheme reformed 
the identity IDg into Ig ^ Saeednia’s scheme is still allowing a group member to 
forge a group signature. 

Furthermore, we consider that if GC allows a group member to register his secret key 
only once, a valid secret key is still can be counterfeited by collusion. In other words, 
any three members in the same group can conspire to construct a valid secret key by 
choosing the integers si, S 2 , and S 3 to be their part of secret keys such as in Steps 1, 2, 
and 3, respectively. 

4 Conclusions 

In this paper, we have presented that Saeednia’s modified group signature scheme still 
has a serious weakness. In other words, not only Kim et al.’s scheme but also Saeednia’s 
modified scheme enables a group member to forge a signature for any message M 
without the knowledge of GC’s secret as well as IDq ^ T. 
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Abstract. Digital watermarking is a key technique for protecting intellectual 
property of digital media. As a number of methods have been proposed in recent 
years to embed watermarks in images for various applications, evaluation of 
watermarking algorithms becomes more and more important. The degradation 
of watermarked images, which can be measured by signal to noise ratio (SNR) 
or peak signal to noise ratio (PSNR), is one of the major performance indexes of 
watermarking algorithms. In this paper, based on the Laplacian distribution 
model of DCT coefficients, we deduce a theoretical relationship between the 
scaling parameter in a typical watermarking algorithm and the degradation of 
watermarked images. Experimental results show that the estimation error of 
SNR and PSNR is less than 1 dB. Using this relationship, we design an adaptive 
insertion strategy that can be employed to embed watermarks in natural images 
with assigned SNR or PSNR. 



1 Introduction 

Digital watermarking, which has been proposed as a solution to the problem of copy- 
right protection of multimedia data in the networked environment, is a process of 
embedding information (or signature) directly into the media data by making small 
modifications to them. With the detection/extraction of the signature from the water- 
marked media data, it has been claimed that digital watermarks can be used to identify 
the rightful owner, the intended recipients, as well as the authenticity of media data. 

As a number of watermarking methods have been proposed in recent years, evalua- 
tion of watermarking algorithms becomes more and more important. Among the major 
performance indexes, the degradation of watermarked images, which can be measured 
by signal to noise ratio (SNR) or peak signal to noise ratio (PSNR), is cared about by 
most of the users. In this paper, based on the Laplacian distribution model of AC DCT 
coefficients, we deduce a theoretical relationship between the scaling parameter in a 
typical watermarking algorithm and the degradation of watermarked images. Experi- 
mental results show that the estimation error of SNR and PSNR is less than 1 dB. 
Based on this work, not only can we estimate how degraded the images will be after 
embedding watermarks, but also realize an adaptive watermark embedding algorithm 
in the DCT domain for natural images with assigned SNR or PSNR. 
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The rest of the paper is organized as follows: Section 2 reviews watermarking 
schemes proposed by Cox [2, 3] and Bami [1 1], In section 3, after briefly describing 
statistical models that have been proposed to better characterize the DCT coefficients 
of common images, we introduce mathematical analysis of the DCT coefficient distri- 
butions which has been reported by Lam and Goodman [1]. In section 4, we deduce 
the theoretical relationship between the scaling parameter in watermarking algorithms 
and SNR or PSNR of watermarked images. Based on this work, a new watermark 
insertion strategy that can be used to embed watermarks with assigned quality grade in 
images is obtained. Section 5 illustrates experimental results. Section 6 draws some 
conclusions. 



2 Embedding Image Watermark in the Block-DCT Coefficients 

Since Cox et al. [2, 3] proposed a global DCT -based spread spectrum approach to 
hide watermarks, more and more watermarking schemes in the DCT domain have 
been presented. As a private watermarking method, the constraint of accessing the 
original image limits the use of Cox’s algorithm, since if there are too many images to 
be authenticated, it must be difficult to find the original image according to a water- 
marked image. As a matter of fact, it becomes a special case of content based image 
retrieval. More serious, Craver [8, 9] reported a counterfeit attack to private water- 
marking system, which is called “IBM attack”. Most of current private watermarking 
systems could not resist this attack. We notice that more and more blind watermarking 
schemes have been proposed recently. Bami [11] improved Cox’s algorithm, and 
made it a blind watermarking scheme by embedding the signature in the fixed posi- 
tion. To achieve both perceptual invisibility and robustness against JPEG compres- 
sion, the watermarking algorithms always select host coefficients in the low-middle 
frequency band. In this paper, the watermark embedding algorithm to be evaluated is 
just like Bami’s. What changes here is that we use the 8><8 block-wise DCT coeffi- 
cients to embed watermark, not the full frame DCT coefficients, so that the algorithm 
can adapt to JPEG standard. 

Like [2, 3, 11], watermark W = {w,, Wj, w„} consists of a pseudo-random se- 
quence of length n, each value w, , / = 1, 2, ..., n, is a random real number with a 
normal distribution having zero mean and unity variance. Given an Image 7, the 8><8 
block- wise DCT transform D = DCT{I) is computed. Some low-frequency coeffi- 
cients of each block are then extracted and reordered into zig-zag order. Thus we 
obtain the host sequence H = {h^, h 2 , ■■■, h„}. The watermarked se- 
quence H' = {h^ , h '2 , ■■■, h'^} is obtained according to 

h'l = hj ■ (I + aw-) , i = I, 2, ■■■, n ( 1 ) 



where a is the scaling parameter. Finally, H' is reinserted in the zig-zag scan and the 
inverse 8><8 block-wise DCT is performed, thus we obtain the watermarked im- 
age 7' = DCT’ (Z)') . 
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3 Statistical Modeling of the DCT Coefficients 

The discrete cosine transform (DCT) is widely used in transform image coding sys- 
tems because of its nearly optimal energy compaction properties. Since efficient 
quantizer design and noise mitigation for image enhancement are based on source 
models, there have been various studies on the distributions of the DCT coefficients 
for images over the past two decades. Most of these studies concentrated on fitting the 
empirical data from some standard images with a variety of well-known statistical 
distributions, and then comparing their goodness-of-fit [1]. 

Early on, Pratt [7] conjectured that the AC coefficients follow a zero-mean Gaus- 
sian distribution, defined as 

/o(x) = (l/V^c7)-e-^''^"' (2) 

By using the Kolmogorov-Smimov test, Reininger and Gibson verified that the AC 
coefficients had a Laplacian distribution [4] , defined as 

A(x) = (i/V^ct)-c-'^I^I'‘^ (3) 

Joshi and Fischer modeled the AC coefficients with a general Gaussian density func- 
tion [5], defined as 

foGD (x) = \x!(y\y] (4) 



where w 



(r)= Ir&M r(.) 



denotes the usual gamma function, y is the shape 



parameter of the p.d.f , which describes the exponential rate of decay, and cr is the 
standard deviation. The General Gaussian distribution model contains the Laplacian 
and Gaussian distribution as special cases, using y = 1 and y = 2 , respectively. The 



shape of (x) for some shape parameters is depicted in figure 1 . 




0 
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Fig. 1. Shape of the faoDix) for some shape parameters. The Laplacian and Gaussian distri- 
bution as special cases, using y = 1 and y = 2 , respectively. 
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According to the maximum likelihood criterion, Bami [6] evaluated the shape pa- 
rameter using 170 natural images. The experimental results demonstrated that ac coef- 
ficients could be effectively modeled by Laplacian density function. In [5], Joshi and 
Fischer concluded that the probability density of the AC coefficients is much closer to 
Laplacian or Gaussian with block classification based on ac energy. 

Although the Laplacian distribution remains a popular choice balancing simplicity 
of the model and fidelity to the empirical data, few of the authors provides analytic 
justification for the choice of this model. In [1], Lam and Goodman offered a compre- 
hensive mathematical analysis of the DCT coefficient distributions of natural images. 
They demonstrated that using a doubly stochastic model could derive Laplacian distri- 
bution of the coefficients. Our work in this paper is based on their demonstration. 

For simplicity, assume that the size of image / is 8twx8n . After dividing / into 
nonoverlapping blocks of size 8x8, the set of sub-images {/, , /j , ■ ■ • , } is ob- 

tained. Each block is then subjected to the discrete cosine transform, thus we get the 
block set {F, , Fj , ■ ■ • , } , where = DCT (/. ) , i = 1,2, ■■■, mxn . Since DCT is 

a quasi-optimal transform, we can assume AC coefficients in V- to be statistically 
independent. Therefore, by the central limit theorem, the AC coefficients within a 
block should be approximately distributed as Gaussian with zero mean, while the 
variance is proportional to the variance of pixels in the block. The probability density 
function is 



f{vXx,y)/c7f) = 






-V,(x,y)l2af 



, x,y = l,2,---l 



(5) 



After some observation, Lam assumed that the histogram of the variance of natural 
images could be reasonably approximated by exponential distribution, i.e.. 



f{a^) = ?i-e 






( 6 ) 



The density function of AC block-DCT coefficients can be obtained using conditional 
probability 



f{V(x,y))= f{v{x,y)la^\f{a^)-d(a^) 

J 0 



(7) 



Substituting (5) and (6) into (7), we get 



f{V(x,y)) 



l_ 

42Gy 



e 



-42\V{x,y)\lav 



( 8 ) 



where the standard deviation is 






1 



(9) 
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4 Evaluating the Degradation of Watermarked Images 



4.1 Relationship between and C7^ 

Notice that the watermark is very weak compared with the AC coefficients, we can 
assume that the Laplacian statistical model of DCT AC coefficients will not change 
after watermark embedded, and only the variance will be different. To analyze the 
relationship between the scaling parameter and the degradation of watermarked im- 
ages, we must first of all deduce the relationship between variance of image luminance 
and variance of the AC coefficients. 

Among the set of sub-images A be the mean luminance of 

i.e. JU- = E{I.) , then the mean luminance of the whole image I is 



= E{I) = E{jUi ) ,i = l,2,---,mxn (10) 

Its variance is 

<jf=E(I^)-[E(I)f =E[E(lf)]-M^ (11) 

For each sub-image, af = E {if )- jJ-f , then (11) can be rewritten as 

a] = E {of +lA)~ lA = Eicyf ) + Eijuf ) - 

From the previous section, we know that (jf follows an exponential distribution, so it 
is easy to know that 



E{<jf) 



1 

J 



(13) 



Substituting (9)s (13) into (10), we obtain the follow result 

A =af+E{/uf)-/uf 



(14) 



Let af = E{juf )-juf= E{jnf )- E^ {/i - ) to be the variance of the mean for luminance 
of sub-images, (14) can be simplified as 



(7j — (Jy + <J ^ 



(15) 



As the watermark is embedded in the AC coefficients, according to the definition of 
inverse DCT (IDCT), the direct components jl- will be constant during the watermark 

embedding procedure. Thus af is merely depended on the original image 7, and the 

change of a] relies on the alteration of af only. 
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4.2 Evaluation of SNR and PSNR 

Just like noise interference, watermark embedding degrade the image’s quality. In 
spatial domain, the watermarked image can be modeled as /' = 7 + « . To measure the 
degradation of watermarked image /', two objective criteria that have been used in 
image compression research are introduced. They are signal to noise ratio (SNR) and 
peak signal to noise ratio (PSNR), defined as 

SNR{dB) = mg{a] jal) ( 16 ) 



PSNR{dB) = mg{255^lal) ( 17 ) 

Since the watermarking algorithm leaves the DC component unchanged, it can be 
derived from (15) that 



—0,-0, —Ov'-Ov 



(18) 



Substituting (18) into (16) and (17) , we obtain the definitions of SNR and PSNR of 
image 1 in the DCT domain 



SNR = mg{o]liol.-ol)] 



(19) 



PSNR = mg{255^l{ol,-ol)] (20) 

Assume that the watermark is embedded in DCT AC coefficients according to (1), 
based on the Laplacian model of V , the variance of AC coefficients of watermarked 
images can be determined as 

ol,=(l + a^)ol ( 21 ) 

Substituting (15) and (21) into (19) and (20), we obtain the relationship 

5AR = 1 0 Ig ct" - 1 0 lg(c7 " - C7^ ) - 20 Ig or (22) 

PSNR = 20 Ig 255-10 lg(c7" - C7^ ) - 20 Ig or (23) 



From the expression (22) and (23), we can conclude that SNR and PSNR will de- 
crease following the native log law as the scaling parameter or increases. As for dif- 
ferent images, the watermarked image quality is also depended on the “energy” of 
original image o] , and the variance of the mean for luminance of sub-images cr^ . 
The higher the image energy is, the less is the degradation. On the other hand, the 
higher cr^ is, that is to say, the more complex the image content is (the less uniform 

the luminance distribution is), the less is the image degradation. Apparently, these 
conclusion accords with our subjective sensation very well. 
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4.3 Adjusting a According to Assigned Quality Grade and Image 

Until now, a lot of algorithms have been proposed to make the scaling parameter 
adaptive to local images or local areas in image. But from the commercial point of 
view, since the value of digital images are closely associated with the their quality, 
there will be obvious benefits if the insertion strategy can embeds watermark with 
assigned quality grade for different images. Based on our evaluation formula (22) and 
formula (23), we can design such a strategy. 

Given a quality parameter SNR or PSNR, it is easy to obtain the estimation of scal- 
ing parameter a according to specified image / from (22) or (23). If the estimation 
have enough precision, the strategy will also perform well. 



5 Experimental Results 

Selecting the first nine AC DCT coefficients in zig-zag order in every blocks as the 
host sequence, we sign the standard image “cameraman” with some scaling parame- 
ters range from 0.01 to 0.1. The theoretical estimation of image degradation (SNR, 
PSNR) and corresponding experimental results are shown in Table 1, Table 2 and 
Figure 2. Both the SNR (left) and PSNR (right) agree quite well with their theoretical 
calculations. The estimation error is less than 1 dB. 



Table 1. Theoretical estimation and experimental results of signal to noise ratio (SNR) 



a 


0.01 


0.02 


0.03 


0.04 


0.05 


SNR (Theoretical) 
SNR (Empirical) 


48.15 

47.26 


42.13 

41.24 


38.60 

37.72 


36.10 

35.22 


34.17 

33.28 


a 


0.06 


0.07 


0.08 


0.09 


0.10 


SNR (Theoretical) 
SNR (Empirical) 






30.08 

29.20 


29.06 

28.18 


28.15 

27.26 



Table 2. Theoretical estimation and experimental results of peak signal to noise 


ratio (PSNR) 


a 


0.01 


0.02 


0.03 


0.04 


0.05 


PSNR (Theoretical) 


60.38 


54.36 


50.84 


48.34 


46.40 


PSNR (Empirical) 


59.50 


53.48 


49.95 


47.46 


45.52 


a 


0.06 


0.07 


0.08 


0.09 


0.10 


PSNR 


44.82 


43.48 


42.32 


41.30 


40.38 


(Theoretical) 
PSNR (Empirical) 


43.93 


42.59 


41.43 


40.41 


39.50 



To test our watermark insertion strategy, we embed watermarks with specified SNR 
and PSNR (indicated by dashed in figure 4) in eight images shown in figure 3. Com- 
puting results of SNR( above) and PSNR(below) are illustrated in fig 4. 
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Scaling parameter 



(a) 




Scaling parameter 

(b) 



Fig. 2. The relationship between scaling parameter and image quality, (a) shows the relationship 
between scaling parameter and SNR, (b) shows the relationship between scaling parameter and 
PSNR. 

6 Conclusion 

In this paper, a theoretical relationship between the scaling parameter in a typical 
watermarking algorithm and the degradation of watermarked images has been ex- 
plored. We began our analysis by extending Lam’s mathematical justification for 
Laplacian distribution model of DCT coefficients of natural image [1]. A relationship 
between variance of image luminance and variance of the block-DCT coefficients has 
been deduced. Then the estimation formulas of SNR and PSNR have been obtained 
according to their definition. These evaluation formulas not only accord with subjec- 
tive sensation very well, but also have very high estimated accuracy demonstrated in 
our experiments. 





6 




Fig. 4. Assigned and computed image quality, (a) shows the assigned and computed SNR, (b) 
shows the assigned and computed PSNR. 
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Abstract. This paper presents a new sliding window algorithm that is 
well-suited to an elliptic curve defined over an extension field for which 
the Frobenius map can be computed quickly, e.g., optimal extension held. 
The algorithm reduces elliptic curve group operations by approximately 
15% for scalar multiplications for a practically used curve in comparison 
with Lim-Hwang’s results presented at PKC2000, the fastest previously 
reported. The algorithm was implemented on computers. As a result, 
scalar multiplication can be accomplished in 573/rs, 595/rs, and 254/is on 
Pentium II (450 MHz), 21164A (500 MHz), and 21264 (500 MHz) com- 
puters, respectively. 



1 Introduction 

Many studies have been conducted on fast exponentiation algorithms, since many 
public key cryptosystems require exponentiation g® [1, Sect. 8]. If the base or 
exponent cannot be fixed, the sliding window exponentiation [1, 14.85 Algorithm 
in p. 616] is one of the most efficient algorithms for computing exponentiations. 

Recently, elliptic curve cryptosystems have been the focus of much attention, 
since there are many advantages, for example, a short key length and fast com- 
putation speed. In particular, the use of an optimal extension field (OFF) [2] for 
software implementation has determined that an elliptic curve cryptosystem is 
faster than a public key cryptosystem based on modular exponentiations. 

The algorithms for an exponentiation can be used for scalar multiplications 
in group operations defined over an elliptic curve. Moreover, if an extension field 
is used for an elliptic curve, another technique called the base-(() expansion [3] can 
be employed. Until now, several studies on base-^ expansion have been conducted 
including application to OEF [4] , but these studies focused on expanding a scalar 
representation to a hase-(j} representation and the results of the expansion are 
only analogous to modular exponentiation algorithms. 

Solinas presented base-(() expansion with a window algorithm for an elliptic 
curve [5]. His algorithm was considered only for a field with characteristic two, 
and he used a (sliding) window algorithm. While, Lim and Hwang presented the 

* This work was done while the author was in NTT Information Sharing Platform 
Laboratories. 
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Lim-Lee algorithm [6] application to an elliptic curve defined over OEF [7,8]. 
They used a more sophisticated algorithm to compute a scalar multiplication 
using hase-(j) representation, but they did not use any special property derived 
from elliptic curve properties. Moreover, Tsuruoka and Koyama used optimal 
addition sequences for this scenario [9] . After finishing constructing the addition 
sequence, their algorithm performs fast, but computing the addition sequence 
requires long time for small extension fields. 

This paper focuses on a mixture of the sliding window and base-</> expansion. 
Computing Frobenius map (j) is very fast in a suitably-represented extension 
field. This property ensures that we can smoothly “slide” in the other direction 
for computing a scalar multiplication. 

2 Preliminaries 

2.1 Elliptic Curve 

An elliptic curve cryptosystem consists of group arithmetics defined in an elliptic 
curve over a finite field. The number of field operations follows the representation 
of a point on an elliptic curve. We can roughly classify the representation into two 
groups: one is the projective system which does not require field inversion, and 
the other is the affine system which requires field inversions. For more details, 
Cohen et al. [10] presents a discussion on the advantages and disadvantages of 
these systems. 

Below is an example of Jacobian coordinates, one of the projective systems. 
Using a and & as a parameters, a non-supersingular elliptic curve with a charac- 
teristic greater than 3 is defined as 

= X^ + aXZ‘^ + bZ^ (la^-h 276^0) . (1) 

We can define the group operations for the rational points on the curve. 

2.2 Previous Studies on OEF 

This section provides a brief overview of the history of the implementations of 
scalar multiplication on an elliptic curve over OEF. 

Bailey and Paar proposed OEFs [2]. An OEF can be represented as GF(p)[a;] 
/{f{x)), where p = 2” — c (log 2 c < |n) and f{x) = x™ —lo. (Note that n is the 
size of p and m is the extension degree.) An OEF is very well suited to software 
implementation because the conditions, 

2” = c (mod p) 

X™ = LU (mod /(x)) , 

can be used to reduce the complexity of field multiplications. They showed that 
their implementations are significantly faster than the implementations previ- 
ously reported. 
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Kobayashi et al. applied the hase-cj) expansion technique [3] to scalar mul- 
tiplication in _E(GF(p"‘))/ GF(p) [4]. Similar to an elliptic curve over GF(2™), 
which we call a binary field hereafter, the computational cost of Frobenius en- 
domorphism (j), is very low. This condition made their implementations about 
twice as fast as that reported by Bailey and Paar. 

Lim and Hwang presented implementations that do not use any epoch- 
making techniques; however, their accumulation of minor techniques increased 
the speed of their implementation by approximately two- fold [7,8] . 



2.3 Window Algorithms 



The window algorithm is an algorithm that computes kP using online precom- 
putation. A brief description of the algorithm is given below. 

Step 1: Gompute Qi ^ iP for (2 < i < 2“), and let Qo = O and Qi = P. 

[(log 2 k)/w] 

Step 2: Using a that satisfies k = ^ 2’"*Cj (0 < c* < 2™) , compute 



[(log 2 k)/w\ 

kP= 



i=0 



i=0 

It accelerates scalar multiplication in comparison to the binary algorithm [1, 
14.76 and 14.79 Algorithms in pp. 614-615]. 

Moreover, the sliding window algorithm [1, 14.85 Algorithm in p. 616] was 
proposed to improve the window algorithm. By using Cj and Wi satisfying k = 

[(log 2 k)/w\ [(log 2 k)/w] 



2“‘ Ci , compute kP = 






where Wi > Wi-i + w. 



i—0 i—Q 

This paper applies this approach to the base-^ expansion algorithm, and 
proposes an improved version of the sliding window algorithm called the cyclic 

m—1 

window algorithm to compute Ci4>^P. 

i=0 



3 Cyclic Window Algorithm 

This section proposes the cyclic window algorithm and analyzes the algorithm. 
The cyclic window algorithm computes scalar multiplication kP. 



3.1 Notations 

This section defines the notations used in the following sections that have not 
appeared in the previous sections. 

Definition 1. Let x be the complementation of all elements in binary vector x. 
That is 

[xqj , . . . , x^—i\ := [ xq , , . . . , Xjji—i] . 



(2) 




A Cyclic Window Algorithm for ECC 



65 



Definition 2. (j) mapping for vector [xq, xi, . . . , Xm-i] is defined as 

(j)[xQ^ Xij . . . ^ Xjn—2j Xjji—i] '.= Xg, Xi, . . . , X^_2] ■ 

Definition 3. “a □ 6” is true if binary vector a includes binary vector b. More 
precisely, 

[xg,xi , . . . , Xjji — i] 3 [yQ,yi,---,ym-i] 

J true if Xj V yj = 1 (i.e., xj > yj) for Vj (0 < j < m) 

[ false otherwise 

Definition 4. WH(a^)' Hamming weight of x, i.e., number of non- zero elements 
in vector x. 

Definition 5. Vi := [1, e^^i, . . . , where is the binary rep- 
resentation of i (t) < i < in the little endian fashion, i.e., Cij satisfies the 

following equation. 

m-2 

i = J where Cij G {0, 1} . (3) 

j=o 

For example, we have vi = [1, Ij 0, 0, 0, 0, 0] and xig = [1, 1, 0, 1, 1, 0, 0] for 
m = 7. 

3.2 Our Approach 

This section describes the key idea of the cyclic window algorithm using an 
example. 

We assume that k is already expanded to hase-fi representation, for example, 

k = 4+n(f + 7fi‘^ + 2(jfi + + Icffi + 0 (/)® , 

and m = 7. The expansion can be done using [4, Step 1 in Base-</> Scalar Mul- 
tiplication Procedure], for example. Let n' be the size of the coefficients of the 
expansion. 

We use the online precomputation table as follows. 



Qi = {vi • . ■ 


l]T)p= (l + 0)p 


Q 2 = (V2 • [1,^, ■ . 


l]T)p= + 


Qz = (V3 • ■ • 


l]T)p= + 


Let L be the number of points in 


the table. 



First, we denote the base-(/) representation as binary representations (see 
Fig. 1). Second, we reduce Is using signed-binary forms applying the condition 
2^ {1 + + ■ ■ ■ + = O [4]i (see Fig. 2). 

^ Take care of choosing P. There may be a point that the equation does not hold, 
because is not always an integral domain. 
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Coeff. 




Bin. Rep. 


Coeff. 




Bin. Rep. 






Precomp 


4 




0 


1 


0 


0 


4 




0 


I 








1 


I] ■ 


I 


11 




1 


0 


1 


1 


11 




a 


0 


0 


0 






1 


0 


1 


7 




0 


1 


1 


1 


7 




0 


1 


0 


0 








1 


1 


2 


4 >^ 


0 


0 


1 


0 


2 




0 


0 


0 


a-- 


■ ~4?P 


Q1Q2Q3 


3 




0 


0 


1 


1 


3 




0 


0 


0 


0 












1 




0 


0 


0 


1 


1 




0 


0 


-1 


0 












0 




0 


0 


0 


0 


0 


4 >^ 


0 


0 


-1 


a-- 


■ - 











Fig. 1. Binary Represen- Fig. 2. How to Use the Precomputation Table 

tation of the Coefficients 
in Base-(?i Expansion 



Since we can compute 4>^Qi from precomputed point Qi with a low level of 
complexity, we can use not only Qi but also 4 >^Qi (0 < i < m — 1) referring to a 
precomputed point. Fig. 2 shows that — can be used in the least significant 
bit. If we use the basic sliding window algorithm, the scalar multiplication for 
the least significant bits is computed by 

-P - <j)^P - (j)^P , 

but we can “wrap” precomputed point Q\ from <j>^ to since (j>^ P = P holds. 
Thus, we can cyclically use the precomputed points as follows. 

_03p _ 

Following the above observations, we can compute kP using (4) with the pre- 
computed points Qi, Q 2 , and Q 3 similar to the left-to-right binary algorithm for 
multiple bases [1, Algorithm 14.88 in p. 618]. It requires only four elliptic curve 
additions and three elliptic curve doublings after three elliptic curve additions 
and subtractions in the online precomputation stage. 

kP = 2{2{2{cj)P) + Q 2 ) - - (j>^P - (4) 



3.3 Procedure 

Using the notations defined above, we propose the cyclic window algorithm in 
Fig. 3^. The algorithm computes scalar multiplication, kP, but we assume that 
scalar k is already expanded to base-(/) representation using [4, Steps 1 and 2 in 
Base-(/) Scalar Multiplication Procedure] to hold 

m—1 

k = '^ Ci(j)^ {a > 0) . 

i^O 

^ It is trivial that we can omit the first elliptic curve doubling and addition in the 
main computation stage, but we do not describe this in the figure, since we describe 
the algorithm as simple as possible for easy understanding. 
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By using [8, the explanation for (14)], we assume log 2 Ci <n {= n'), where n is 
the size of p and n' is the maximum size of coefficient c^. The algorithm inputs 
the structure of the online precomputation table, {ug, Ui, . . . , tt/,}. The structure 
is defined in Sect. 4.1. 

Note that the algorithm is a generalization of Solinas’ algorithm [5]. 



Input: a (0 < Ci < 2" ), P, m, . . . , ul} (C {uq, vi,... W 2 ”‘-i-i}) 

m — 1 

Output: ^ ] Ci0*P 

i=0 

Step 1; [Coefficient adjustment stage] 

Let Cij be the j’-th bit of Ci and dj be a vector which is a collection of 
Cijs, i.e., 

n' — 1 

Ci = ^ Cij2-’, where aj G {0, 1} 

j=0 

and 

dj ■<— [C0,j, ClJ, . . . , 

If WH(dj) > (m+ l)/2 then 
Sj ■( 1 and dj dj, 

else 

•Sj t— 1. 

Step 2: [Online precomputation stage] 

Compute Qi-^uf [P, <I>P, <j}‘^P , for 0 < 1 < L. 

Step 3: [Main computation stage] 

R^O 

for j = n' — 1 downto 0 do 
R^2R 

for I L downto 0 do 
for i 0 to m — 1 do 
if dj □ then 

dj i — dj 0 (p^ui, R i — R + Sj(j)^Qi 
end if 
end for i 
end for I 
end for j 
Output R. 



Fig. 3. Cyclic Window Algorithm Procedure 
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4 Evaluation of Cyclic Window Algorithm 

In this section, we evaluate the performance of the cyclic window algorithm 
applied to OEF for practically used parameters: the size of the maximum prime 
order subgroup is at least 160 bits and at most 256 bits. 



4.1 Table Structure 

Deciding on the structure of the online precomputation table is difficult. We 
propose the following heuristic strategy. 

Let T = {t6o, ui, . . . , ul} be the subset of {uq, vi, . . . , U 2 m-i_i} that satisfies 
the following conditions: 



- Uo = Vo 

- wh ( w /) < wu{ui+i) 

— (t{1) < u{l + 1) if wn{ui) = wh(u;+i), where cr(-) is a permutation of the set 
{0, 1, ... , 2’”“^ — 1} and satisfies ui = 'i’cr(i)- 

— <j{L) is as small as possible. 



4.2 Table Size 



In this section, we evaluate the bound of the online precomputation table size, L. 
Since the extension degree is m and the table does not need to contain O and P, 
the table size is at most 2™ — 2. However, we need only one point in 



{ 



uP 






( 5 ) 



because the other points can be easily computed in the main computation stage. 
Since m is odd prime, the size of Set (5) is exactly 2m. Thus, it is sufficient to 
choose 



L = 



2m-l _ I 

m 



(6) 



at most. 

Table 1 gives the values derived from (6). 



Table 1. Table Size Bound 



Extension degree m 35711 13 17 19 

Bound of table size L 0 2 8 92 314 3854 13796 
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4.3 Small Extension Degree 

In this section, we consider the preparation of a table which is at maximum. 
This case only needs at most 1 elliptic curve addition in the main loop in the 
main computation stage. However, of course, large m requires a higher degree of 
complexity of the online precomputation stage. Referring to Table 1, we study 
the case of a small m, that is, m < 7. In this case, we do not need a large table 
according to Table 1. The size of the table is at most 8. Because of the coupon 
collector’s paradox, the probability that there exists a point in the table which 
is not referred in Step 3 in Fig. 3 is very low, if the size of the coefficients of the 
base-(/) expansion n' is greater than 8 log 8 that is approximately equal to 17. On 
the other hand, n, which equals the size of p, is large because the prime order 
subgroup must be sufficiently large. Since n' is larger than 160/(m — 1) which 
is approximately equal to 27, it overwhelms 17. Thus, maximizing L makes the 
cyclic window algorithm perform the fastest. 

To summarize the above discussion, the cyclic window algorithm requires 

2771 — 1 ^ 

1 elliptic curve additions for the online precomputation, n' — 1 el- 

m 

2 

liptic curve doublings and {n' — 1)(1 ) elliptic curve additions for the main 

‘2m 

computation on average. 



4.4 Large Extension Degree 

In this section, we consider a large m value, say m > 11. As we consider the pre- 
vious sections, to maximize the table size is not effective because the maximum 
table size is very large. It seems very difficult to analyze the precise complexity. 
Therefore, we computed the average elliptic curve additions in j-loop of Step 3 in 
Fig. 3 for all dj, which is not applied to the “if” clause in Step 1 by a computer. 
Table 2 shows the computed results for m and L. Let tm,L be a value in Table 2. 
The cyclic window algorithm requires L elliptic curve additions for the online 
precomputation, n' — 1 elliptic curve doublings and (n' — elliptic curve 

additions for the main computation on average. 

Table 2 shows that the table construction described in Sect. 4.1 is not the 
best. There are some numbers greater than one that use less of the precomputa- 
tion table. However, the tendency of the values in Table 2 shows that the greater 
the table size, the fewer matches. 



4.5 Comparison with the Best Previous Result 

To the best of the author’s knowledge, Lim and Hwang’s results [7,8] are the 
fastest previously reported. Their computational complexity is evaluated in [8, 
Sect. 5]. They tried to evaluate their algorithm for general cases, but precise 
numbers were not clear, since their evaluation contains parameters. However, 
they could derive precise numbers when m and n' were fixed. They showed 
numbers for {m,n') = (7,28), (11, 16), and (13, 14). We derive the optimal table 
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Table 2. Average Matches for Each Bit in the Coefficients of the Base-t^ Expansion 







m 




L 


11 


13 


17 


19 


1) 


4.15 


5.03 


6.83 


7.74 


1 


3.09 


3.70 


4.94 


5.57 


2 


2.67 


3.20 


4.30 


4.85 


3 


2.45 


2.93 


3.89 


4.37 


4 


2.31 


2.78 


3.69 


4.16 


5 


2.17 


2.64 


3.51 


3.95 


6 


2.08 


2.53 


3.36 


3.79 


7 


2.02 


2.45 


3.23 


3.63 







m 




L 


11 


13 


17 


19 


8 


1.97 


2.39 


3.17 


3.57 


9 


1.96 


2.33 


3.12 


3.51 


10 


1.93 


2.26 


3.04 


3.42 


11 


1.90 


2.20 


2.97 


3.33 


12 


1.90 


2.16 


2.94 


3.28 


13 


1.87 


2.11 


2.88 


3.22 


14 


1.84 


2.07 


2.83 


3.16 


15 


1.83 


2.06 


2.80 


3.11 







m 




L 


11 


13 


17 


19 


16 


1.82 


2.03 


2.79 


3.09 


17 


1.80 


2.05 


2.78 


3.09 


18 


1.79 


2.04 


2.75 


3.07 


19 


1.78 


2.03 


2.72 


3.05 


20 


1.77 


2.01 


2.69 


3.01 


21 


1.76 


1.98 


2.66 


2.98 


22 


1.75 


1.97 


2.63 


2.95 


to 

CO 


1.74 


1.96 


2.60 


2.92 



size for the above parameters in order to draw a comparison to their results. 
However, we only compare the number of elliptic curve additions, since the cyclic 
window algorithm and Lim and Hwang algorithm require the same number of 
elliptic curve doublings. 

When m equals 7, L = 8 is optimal choice according to Sect. 4.3^. Thus, the 
scalar multiplication requires 

8+(28-l)(l-^) = 34.6 

elliptic curve additions on average. 

When m equals 11 or 13, we need to find the smallest 

L+{n'-l)t^,L (7) 

using Table 2. We tried all combinations of (7). We found that L = 6 for m = 11 
and L = 7 for m = 13 are the optimal choices^. These cases require 

6 +(16 - 1)2.08 = 37.2 and 7 + (14 - 1)2.45 = 38.9 

elliptic curve additions, respectively. We summarize the above numbers and com- 
pare with Lim and Hwang results in Table 3. 

5 Implementation Examples 

5.1 Parameters 

We use the following parameters which are constructed [4] by the Weil conjecture, 
and the field parameters are shown in the upper columns in Table 4. Note that a 
is a root of f{x) used by GF(p)[a;]/(/(a:)), and we choose the base as a generator 
of the maximum prime order subgroup. 

® This case requires 448 bytes for storing the online precomputation table, when using 
the parameter shown in Table 4. 

^ These cases require 264 and 364 bytes for storing the online precomputation table, 
respectively, when using the parameters shown in Table 4. 
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Table 3. Comparison with Lim and Hwang’s Resnlts 



(m, n') 


Online precomp. 
Ours [8] 


Main comp. 
Ours [8] 


Total 

Ours [8] 


(7,28) 

(11,16) 

(13,14) 


8Ae 15Ae 
6Ae 13Ae 
7Ae 14Ae 


34.6Ae+27De 41.2Ae+27De 
37.2Ae+15De 41.7Ae+15De 
38.9Ae+13De 44.1Ae+13De 


42.6Ae+27De 56.2Ae+27De 
43.2Ae+15De 54.7Ae+15De 
45.9Ae+13De 58.1Ae+13De 



“Ae” and “De” denote the computational cost of an elliptic cnrve addition and an 
elliptic cnrve donbling, respectively. 



Word length: 16 bits — 3x — 172 



Maximum prime order in subgroups 3 7735447064 0784663733 8580162818 
7749646114 9221530761 (exceeding 168 bits) 

Base point (10869ai2+3898aii+15358ai°+3782a9+4242a8+7589a^+5310a®+ 

12599a5+10370a4+9316a3+8340a2+l84a+9573,8924ai2+9i4iQ,ii+9472aio+ 

8964a9 + 14633a® + 4204a^ + 5379a® + 13644a® + 11470a4 + 15042a® + 6518a2 + 
15906a + 7391) 



Word length: 32 bits y'^ = x^ — 3x — 85 

Maximum prime order in subgroups 239 4696831448 0862150279 8948628438 
5174133848 4034750169 (exceeding 174 bits) 

Base point (200472906a® + 172723217a® + 174386879a® + 403718784a® 

+ 23043362a2 + 525400877a + 17252111, 523133120a® + 178522781a® 

+ 357710308a® + 10611891a® + 423928020a2 + 2135201a + 535095305) 

5.2 Timings 

Based on the above discussion, we implemented scalar multiplication in the 
elliptic curves. The timing is summarized in Table 4. In the table, means that 
we adopted the parallel multiplication technique described in [11]. For example, 
we can compute two OFF multiplications in 604 cycles on a Pentium II. Table 4 
also shows Lim and Hwang’s results [7,8] as a reference. We refer to the detailed 
timings shown in [7]. However, we refer to the timings of the scalar multiplication 
shown in [8], since the timings of a scalar multiplication shown in [8] are faster 
than those in [7]. The results are scaled to 450 MHz for Pentium II and 500 MHz 
for 21164. 

Our implementations on the Pentium II, 21164A, and 21264 use the Jacobian 
coordinate, the affine coordinate, and the coordinate proposed in [7, Sect. 2.2], 
respectively. We selected a 160-bit random integer as a scalar. Even if we select a 
number close to the order of subgroup generated by the base point as a scalar, the 
time for main computation stage hardly increases, but the time for converting 
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a scalar to the base-(/) representation will slightly increase. Note that a = —3 is 
always used in (1) for fast implementation purposes. 



Table 4. Elliptic Curve Scalar Multiplication (cycles) 





Current study 






[7] 




CPU 


Pentium II 21164A 


21264 


Pentium II 


21164 


p 


CO 

1 

CN| 


2®® - 3 2 


29 _ 3 


2^'' - 3 2 


- 57 2 


28 _57 


fix) 


a;i®-2 


-2 ■. 


r"-2 


*i®-2 


-2 


x'^-2 


Subgroup order 


168 


174 


174 


168 


168 


168 


scalar mult (/rs) 


573 


595 


254 


791 


687 


672 


scalar mult (10®) 


258 


298 


127 


356 


309 


336 


EC add (A) 


NA 


3412 


1544 


6091 


4628 


4866 


EC dbl (A) 


NA 


3830 


1621 


6863 


5107 


5543 


EC add (P) 


(M)3692 


4152 


1524 


6171 


4256 


4696 


EC dbl (P) 


2528 


3128 


1164 


4442 


3086 


3518 


OEF inv 


|4824 


2120 


1010 


4200 


3259 


3292 


OEF mult 


1604 

|525 


323 


117 


543 


379 


383 


OEF sqr 


309 


99 


404 


301 


359 


OEF (j) 


111 


116 


70 








OEF add 


26 


58 


28 


91 


42 


59 


OEF sub 


21 


58 


28 








GF(p) inv 


1 


266 


219 


19 


457 


376 



• (A): affine, (P): projective 

• (M): the addend is represented by affine coordinate 

• NA: Not Available 

• Pentium II (450 MHz), Other CPU (500 MHz) 



6 Conclusion 

This paper presented the cyclic window algorithm, a new scalar multiplication 
algorithm for elliptic curves defined over OEF. The algorithm first makes an 
online precomputation table and then computes a scalar multiplication using 
the precomputation table with the Frobenius map. The condition of the Frobe- 
nius map = 1 allows us to use the precomputation table cyclically. This 
highly used Frobenius map makes scalar multiplication about 15% faster than 
the previously reported best results [7,8]. We also implemented our algorithm by 
software. A scalar multiplication can be computed in 573^s, 595^s, and 254/xs 
on Pentium II (450 MHz), 21164A (500 MHz), and 21264 (500 MHz) computers, 
respectively. 

Finally, how to decide the structure of the online precomputation table is left 
for future study. 
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Abstract. Hyperelliptic curve cryptosystems (HCC for short) is a gen- 
eralization of ECC. It has been drawing the attention of more and more 
researchers in recent years. The problem of how to decrease the amount 
of addition and scalar multiplication on the Jacobians of hyperelliptic 
curves so that the implementation speed can be improved is very im- 
portant for the practical use of HCC. In this paper, Using Frobenius 
endomorphism as a tool, we discuss the problem of faster scalar mul- 
tiplication. A faster algorithm on Jacobian’s scalar multiplication of a 
family of specific hyperelliptic curves is proposed with its computational 
cost analyzed. Analysis reveals that our algorithms’s computational cost 
is less than that of Signed Binary Method. 



1 Introduction 

The security of many public key cryptosystems is based on the complexity of 
computing the discrete logarithm in finite abelian groups. The major issue arising 
in this context is the choice of a suitable group. For example, the multiplicative 
group of a finite field, which was proposed by the inventors of public key cryptog- 
raphy, turned out to be inappropriate, since it allows a subexponential algorithm 
for solving the discrete logarithm problem: The index calculus method. 

Elliptic curves have been shown to be a good choice for building public key 
cryptosystems which was proposed independently by Neal Koblitz[6] and Victor 
Miller [9] in 1985, because the corresponding discrete logarithm problem seems 
to be very hard. In particular, methods like index calculus are not applicable to 
them. Since they offer high level of security even for shorter keys, elliptic curve 
cryptosystems are the optimal choice for smart cards and a number of other en- 
vironments, which provide only limited storage space. Therefore, they are widely 
used today. As an natural extension, Neal Koblitz[8] proposed the hyperelliptic 
curve cryptosystems (HCC) in 1989, which is based on the discrete logarithm 
problem on the Jacobian of hyperelliptic curves over finite fields. The Jacobian 
of hyperelliptic curves turned out to be a rich source of finite abelian groups for 
defining one-way functions. Cantor’s algorithm [2] provided an efficient method 
to implement the group operation on the Jacobian of a hyperelliptic curves. At 

* This work was supported by the project 973 of China under the reference number 
G1999035804. 
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the same level of security, the basis field of hyperelliptic curve cryptosystems is 
smaller than that of ECC, and almost all protocols based on the standard DLP 
such as DSA and ElGamal can be planted to HCC. HCC may be faster than 
elliptic curve cryptosystems, as the usage of multiprecision integer arithmetic 
can be avoided for appropriate parameters. 

There are many theoretical results on elliptic curves, however, up to now, 
the results on hyperelliptic curves are still not enough for the construction of 
efficient cryptosystems. As hyperelliptic curves promise to be the foundation of 
cryptosystems for the next decades. 

Current research on HCC concentrates on finding construction methods for 
secure hyperelliptic curves and speeding up the arithmetics needed in HCC. At 
present, the common method used to compute the order of Jacobian is Weil 
conjecture method. Although the Weil conjecture method can find a few curves, 
it is simple and fast. About the scalar multiplication in Jacobian, most methods 
are similar to the addition group of elliptic curves. In [5], C.Cunther etc. extended 
the Frobenius expansion [10] of elliptic curves scalar multiplication over GF{2), 
and used it in the scalar multiplication of Jacobian of hyperelliptic curves over 
GF{2), thus speeded up the computation. The available implementations of HCC 
show that they are slower than the implementations of ECC[12][13][14j. Hence, 
how to decrease the amount of point addition and scalar multiplication on the 
Jacobians of hyperelliptic curves so as to improve the implementation speed of 
HCC is a very important problem for the practical use of HCC. 

In this paper, the Jacobian of a kind of hyperelliptic curves is discussed. Using 
Frobenius endomorphism as a tool we study the faster scalar multiplication, 
and present a faster algorithm on Jacobian’s scalar multiplication of a family 
of specific curves. We also analyze computational cost of the algorithm. The 
analysis shows that the computational cost of our algorithm is less than that of 
Signed Binary Method. 

The paper is organized as follows. In Section 2, we introduce Hyperelliptic 
curves and its operation. While in Section 3, we introduce the Frobenius Auto- 
morphism of Jacobian of hyperelliptic curves and its properties. Section 4 studies 
a family of hyperelliptic curves with genius g=2 over GF(q). In Section 5 we pro- 
pose a faster algorithm on Jacobian’s scalar multiplication of a family of specific 
curves and analyze its computational cost. Section 6 contains some concluding 
remarks. 



2 Hyperelliptic Curves and Its Operations 

2.1 Hyperelliptic Curves and Their Jacobian 

We first introduce the definition and properties of hyperelliptic curves over finite 
field, more details can be found in reference [l][2][7][8j. Let Fg be a finite field 
and Fg be its algebraic closure. A hyperelliptic curve over Fg with genus g is 
defined by the following equation: 



C : y'^ + h{x)y = f{x) 



( 1 ) 
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where f{x), h{x) in Fq[x], f{x) is a monic polynomial with degree 2g+l and h{x) 
is a polynomial with degree at most g, and also there are no points (x, y) € FqX Fq 
which simultaneously satisfy the equation + h{x)y = f{x) and the partial 
derivative equations 2y + h{x) = 0 and h'{x)y — f'{x) = 0(A point satisfies the 
above conditions is called a singular point, and there is no singular point on 
HC). Let Fqn be an extended field of Fq, the set of F^n-rational points on C, 
denoted C{Fqn), is the set of all points P = {x, y) £ Fqn x Fqn which satisfy the 
equation (1) together with a special point at infinity denoted oo . Let P = (x, y) 
is a finite point on hyperelliptic curve C, the opposite of P denoted P, defined as 
P = (x, —y—h(x)) , 6b = oo. A divisor on (7 is a finite formal sum D = SpuipP, 
where mp are integers that are 0 for almost all P. The degree of D is defined by 
degD = Spnip. If D = a{D), a £ Gal{Fq^ /Fq^) (The Galois group of Fq^), then 
D is said to be defined over Fqn . The set of all the divisors Dc{Fqn) defined over 
Fqn forms an abelian group with the set of divisors of degree 0 as its subgroup, 
that is -Dp(Tljn) C Dc{Fqn) . The divisor of a polynomial G{x,y) £ Fq[x, y] is 
defined by 

div{G{x,y)) = Spordp{G)P — Spordp{G)oo 

where ordp{G) is the order of zero or pole of G(x, y) at P . Now the divisor 
of a rational function G(x, y)/H{x, y) is defined by div{G{x, y)/Fl{x, y)) = 
div{G{x, y)) — div{Fl{x, y)) and is called a principal divisor. We denote the 
group of principal divisors as Pc (Fqn) . Since every principal divisor has degree 
0, Pc{Fqn) is a subgroup of D'^{Fqn). Finally, the Jacobian of G defined over 
Fqn is given by J(G; Fqn) = D'^{Fqn)/Pc{Fqn). 

2.2 The Group Operation and Discrete Logarithm over Jacobian 

A hyperelliptic curve C with genus g is defined on a finite field Pg(let q = p'"), and 
its Jacobian over Fqn is an abelian group. From the work of Neal Koblitz[8] and 
Cantor[2], we can know that the element D = SrriiPi — {Smi)oo (here Emi < g, 
Pi = (xj, yi)) of G's Jacobian can be only determined by two polynomials a and 
h in Fqn[x] , where a(x) = il(x — Xi)'"% and a, h satisfy: 1) deg b < deg a < g; 

2) b{xi) = yi, for all the i that made rm ^ 0; 3) b“^ + hb — f = 0 (mod a). 
D = g .c.d.{div{a{x)) , div{b{x) — y)), in general we write it as I? = [a, b]. The 
g.c.d. of two divisors Di = ErriiPi — {Emi)oo and I?2 = EriiPi — {Erii)oo is 
defined as follows: g.c.d. {Di, D2) = Emin{mi, rii)Pi — {Emin{mi, rii)oo. 

Addition in the Jacobian is accomplished by two procedures: Composition 
and Reduction. 

Algorithm 1: Addition in the Jacobian 

Input: two divisors Di=[ai, bi] and D2 = [02, 62] in the Jacobian 

Output: L>3 = [as, 63] = Di + D2 

Composition: 

1) Compute d = gcd{ai, 02, 61 + 62 + ft.) = siOi + 5202 + ss(&i + 62 + ft) • 

2) Let a = a\a2/(P‘ , 

3) Let b = (510162 + 520261 + 53(6162 + f))/d (mod a). 

Reduction: 

4) Let as = {f — bh — b‘^)/a, 63 = (—ft — 6) (mod 03). 
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5) If deg 03 > g, let a = and h = 63, return to 4). 

6) Let as = c~^as, where c is the first coefficient of 03. 

7) Output (03, bs). 

Algorithm 2: Double in the Jacobian 

Input: a divisors D\ = [oi, 61] in the Jacobian, 

Output: D 2 = [a2j ^2] = Di + Di. 

Composition: 

1) Compute d=gcd(oi,2&i+/i)= siai+S3(2&i+/i), 

2) Compute a = a^jeP' , b = (2siaibi + + f)/d (mod a). 

Reduction: 

3) Let a 2 = {f — bh — b‘^)/a, &2 = {—h — b) (mod 02), 

4) If deg 02 > g , then let a = 02 , & = 62 return to 2) , 

5) Let G 2 = c~^Q 2 , where c is the first coefficient of 02, 

6) Output (02, &2)- 

The generic operation need 17g^+0(g) operations in whereas doubling 
needs 16g^+0(g) operation in Fgn. So, we can assume that both operations 
have roughly the same complexity. It is important to note that inversion in the 
Jacobian is basically for free, since the opposite of D = [a{x), b{x)] is given by 
div[a{x), —h{x) — 6(x)]. 

By the discussion of [3] , for the divisor addition, it is not difficult to compute 
the average number of operations in GF(2") for curves with p = 2, g = 2, h = x: 

Composition needs 4g^ + 5g + 2 = 28 multiplications and 2 inversions; reduc- 
tion needs (7/6)g^ -I- 3g^-(l/6)g=21 multiplications and (l/2)g-|-l=2 inversions. 
The total number of operations is 49 multiplications and 2 inversions (or 89 
multiplications under the assumption that one inversion is equivalent to 10 mul- 
tiplications) . 

In this case, the composition of double divisor can be simplified as follows 
(let oi (a;) = x“^ + jx + 9): 

1) If 0 = 0, then d = X, Si = 0, ss = 1; else, d = 1, si = 9~^, S 3 = 9~^(x + j); 

2) Compute a = alld"^, b = {bf + f)/d (mod a). 

The probability of 6=0 is 1/2", it is negligible. In characteristic 2, squaring 
a polynomial of degree I take ^-1-1 squares in the underlying field. Assuming 
that the field arithmetic is implemented using normal bases, these squares are 
essentially for free, hence we do not count them. Therefore the average number 
of operations in GF(2") for double divisor is 11 multiplications and 2 inversions 
in composition, (7/6)g^-|-3g^-(l/6)g=21 multiplications and (l/2)g-|-l=2 inver- 
sions in reduction. The total is 32 multiplications and 4 inversions (about 72 
multiplications) . 

The scalar multiplication on J(C; F^n) is to compute niD = D + D-\ \- D 

where D is a generator of J{C; F^n) (or a subgroup of J{C; F^n) with order n), 
m is a random integer with m \ ^J{C; Fqn)(or m | n). 

The discrete algorithm problem in J{C;Fgn) is: given two divisors Di, 
D 2 defined on the J{C;Fgn) over to determine the integer m such that 
F2=mFi(if such a m exists). 
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3 Frobenius Automorphism and Its Properties 

Let Fq be a finite field and Fq its algebraic closure, C : y'^ + h{x)y = f{x) be 
a hyperelliptic curve with genius g defined over Fq , Fqn be a n-th extension 
field of Fq. The Frobenius automorphism <j> : Fq ^ Fq, x ^ x‘^ induces an 
automorphism over Jacobian: 

cj > : J{C- Fq) ^ J(C; Fq) 

D = EpmpP mod Pc{Fq) — >■ (f>{D) = Epmp(f>{P) mod Pc{Fq) 

where (j){P) = {x'^, y'^) , if P = (x, y); 4>(.P) = oo, if P = oo . 

If D is an element in J{C;Fqn) , D = [a(x), 6(x)], a{x) = E^^^aiX^ G 
Fqr.[x\, b{x) = E^^gbiX^ G Fqn[x], then (p{D) = [^(a(x)), </>(6(x))] = 

It is not difficult to prove that the Frobenius automorphism of 
J(C; Fqn) is a linear transformation, and it has a characteristic polynomial with 
order 2g. In the case of y=2, the characteristic polynomial of the Frobenius 
automorphism in the Jacobian of hyperelliptivc curve defined over Fq is [11]: 

P(T) = p4 _ ^2 (2) 

where si = g — (Mi — 1), S 2 = (M 2 — 1 — + sf) /2, and Mi, M 2 are the numbers 

of the rational points of the curves defined over Fq and Fq 2 ( including a infinity 
point). For any D G J{C] Fq), we have </>^(P) — si(()^(P)+S 2 g<()^(P)+g^(P) = 00 . 

4 A Family of Hyperelliptic Curves with Genius g=2 
over GF{q) 

In the sequel, we assume that g = 2™. 

Within the curves y^ + h{x)y = f{x) with g=2 defined over GF{q), there is 
a family of curves which have such a property: the characteristic polynomial of 
their Jacobian’s Frobenius automorphism have fewer terms (these characteristic 
polynomials are required to be irreducible at first). In this paper, through com- 
putation, we will find this kind of curves over GF{2) and GF{8). Such kind of 
hyperelliptic curves over larger finite field or over finite field with characteristic 
not equal to 2 also exists, but we will not discuss them here. Next, we give a de- 
scription of such kind of curves over GF{2) and GF{8) and compute the orders 
of their Jacobians using Weil conjecture method. 

For such kind of curves over GF{2), we have: 

Curve: -I- (x^ -I- x -I- l)y = x® -I- x^ -|- x^ 

Characteristic polynomial of Frobenius Automorphism: T'^ + T'^ + 4, 
#Jac(C')(G'P(2io^))=263280729171392966744795069209173014147878527 
21508015252463986134 

=6*6421*74994216391141*91124966195618933478039806010855796315347 

36049 

Curve: y^ -I- (x^ -I- x)y = x® -I- x^ -|- x 
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Characteristic polynomial of Frobenius Automorphism: -\- 4, 

#Jac(C)(GF(2^®))=3653754093327257295509222921839177898094612132 
76 

=4*913438523333181432387730573045979447452365303319 

#Jac(G)(GF(29i))=6129982163463555433433388104427120154634465472 

340027756 

=4*2029*4159*8269*21962170570156658355824238097706743757170621 

#Jac(G)(GG(29^))=2510840694154672305534315769301551333085755518 

2110701284884 

=4*14511*431386278289236531086233896175787116535934904510183171 
Let GF{2) = {0, 1} , GG(8) = GF(2)(6») = {0, 1,0,0 + 1, 0"^, 0^ + 1,0"^ + 
0,0'^ + 0 + 1} = {0,1, 2, 3, 4, 5, 6, 7}, here 0 is a root of equation + x + 1 = Q. 
Among the hyperelliptic curves of the form y^ + xy = f{x) with g=2 over GF{8), 
there are only two sort of them whose characteristic polynomials of Frobenius 
Automorphism have fewer terms. The description of this two sort of curves is 
listed in the following table. 



Ml, M 2 


characteristic polynomial 
of Frobenius 
Automorphism 


number 

of 

curves 


Extending degree 
n for which secure 
is gotten 


Number of 
curves subjected 
to WD attack 


8,64 


T4 - - 8T + 64 


2112 


41,43,47 


384 


10,64 


+ T3 + 8T + 64 


2112 


31,49 


384 



For P{T) = — ST + 64 , there are 2112 such curves and only 384 

of them can be attacked by Weil Descent. For the detailed discussion we refer 
the reader to reference [4]. There are still 1728 such curves defined on GF{8) 
that can be used to construct cryptosystems. (10210), (14441), (41421), and 
(55621) are examples, where (/o /i /2 /s fi) represents the hyperelliptic curve 
y'^ + xy = x^ + f^x'^ + fzx^ + f 2 x"^ + f\x + /o, for example, (10210) represents 
y'^ + xy = x^ + x^ + 2x^ + 1 = x^ + x'^ + Ox'^ + 1; 

#Jac(G)(GF(84i))=11307821214581659710820401859818332991238700181 

9433481682037653227868360824 

=56*83*5167*41616149*7119759061*15890851370813777844165240252759 

545846421631650901. 

#Jac(G)(GF(8‘^3))^4g31g835094926478i745235535174725263173159O5324 

0972337174219720620296817725224 

=56*1033*5591*211540360267*6769674709902939399706179795404558305 

437648052268177674679. 

#Jac(G)(GF(84^))=77706755689029162836724408937523634051722452425 

07718134518926224896252091723638270344 

=56*659*417737*5837429329*86349684743573149632284392734316491874 

612299285170133446243500357. 

For P{T) = T4 + T3 + 8T + 64, such as (03730), (12721), (22511), (55721), we 
have 

#Jac(G)(GF(83i))=9807971461541962258792431152476046575764889007 

995525114 

=74*49922801947*26549021632722459636743345674307154168451963. 
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#Jac(C)(GF(849))=3182868713022634509794446613258933048800547551 

5796933833452274257072348305323877208545994 

=74*701*84640781*724918737577417236058905492600864368901915560452 

7505042380017164669880314601. 

With the hyperelliptic curve and its Jacobian , and the characteristic polyno- 
mial of Frobenius automorphism and its solutions, we can use the t-adic expan- 
sion (here t is a root of the characteristic polynomial of Frobenius automorphism) 
according to the discussion similar to [5] , thus speed up the scalar multiplication 
of Jacobian. The detailed discussion is similar to the method in [5], here we don’t 
discuss. 

5 Fast Computation of a Special Kind of Curve Based on 
Subfield 

The characteristic polynomial of Frobenius automorphism of hyperelliptic curve 
over GF{q) is P{T) = — siT^ + S 2 T^ — siqT + q^. To compute mD, using 

the g^-ary (or signed g^-ary) expansion of m, we can replace q^D with {siq/p — 
+ Si4>^ — 4>^)D. If the amount of computation in computing {siqcp — S 2 ^^ -I- 
is smaller than that of in computing q^D, our method will be faster 
than the ordinary method of computing mD. And the computation of 4>{D) can 
then be reduced to at most 2g*2™“^ operations in Fqn . 

In the following, we take the curves with P(T)=T'^-T^-8T-|-64 as an example 
to illustrate our algorithm. Let C be such a curve, we consider its Jacobian over 
GF(8^^). Suppose the domain parameters have been appropriately chosen. 

Let 

#Jac(G)(GF(8‘^3))^5g*1033*5591*211540360267*6769674709902939399706 

179795404558305437648052268177674679=56*1033*5591*211540360267*p. 

Let D be an element in J(G; GF(8'^^)), then D satisfies — 4>^{D) — 

8(j){D) + 64D = oo, and we have 64D = 8(j){D) + 4>^{D) — Let be a p- 

order element in J(G; GF(8^^)) and m < p, in order to compute mD, we first pre- 
compute —D, zL2D, ±3Z1, • • • , ±6311, then we represent m as 64-ary presentation: 
m = i7jLgCi64*, 1 < Ci < 63. 

So mD = r'^oC,6TD = ±'^o6T(c,D) = A,Lo(8V*(c,iJ) ± <j)^^{c^D) - 
</>4*(c.iJ)). 

Next, we describe our faster algorithm on Jacobian’s scalar multiplication. 

Algorithm 4: Scalar multiplication of the divisor in Jacobian 

Input: a p-order element D = [a, b] = [x^ ± a\X ± Og, bix ± 6g] in 
J(G; GF{8‘^^)) and an integer m < p, 

Output: mD 

1) Pre-compute —D, ±2D, ±30, • • • , ±630 ; 

2) Initialize = oo, in fact we often let F[ = [1,0]; 

3) Convert m into signed 64-ary representation: m = 0(^gCi64*, where Ci G 

{-63, -62, -,62,63}; 

4) For i from I downto 0 do 

{1)H ^ 8cP{H) + 

(2) if c, yf 0, letO ^ H + c^D; 

5) Output H = mO . 
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Computation Analysis and Comparison with Other Methods: 

For (j){D) = [(^(a(a;)), 4>{b{x))] = it only needs 12=2g*m 

multiplication in GF{8*^), and 6]) = [A^LgO^ a;*, 2 ;*] 

needs 48 multiplication in GF(8^^). And these discussions are at the case that 
GF(8^^) is represented in polynomial basis. 64D = 8(f>{D) + 4>^{D) — (j)^{D) only 
needs 3 double divisor, 2 divisor addition, and 48 multiplication in GF{8‘^^). 
When the elements of GF{8‘^^) are represented in normal basis, a(a;) and h{x) can 
be determined by simply shifting the normal basis representation of each coeffi- 
cient Oi and bi in order to compute <f){D). The complexity is therefore at most 12 
cyclic shifts. These shift operations are basically “for free” when compared to the 
more expensive group operation in the Jacobian. 64U = 8(j){D) + 4>^{D) — 
only needs 3 double divisor, 2 divisor addition. Its total amount of computation 
is equal to 394 multiplications in finite field. Compared with simply using double 
divisor 64iJ needs 6 double divisor, it is equal to 432 multiplications in finite 
field), the amount of computation is decreased by 8.8% or 38 multiplications in 
GF(8‘*^). We give a comparison of our method of computing the scalar multipli- 
cation mD of divisor with the general binary method and 64-ary method in the 
following table. 



Method 


Number of 
Divisor 
addictions 


Number 
of double 
Divisors 


Number of Operations 
in GF{8^^) 


Binary 

method[l] 


Max:log2m 

Aver age : 1 ? 0(72 w 


log2m 


Max: 89 Zo(72TO -I- 72log2m 
Average: |89 Zo(72TO -I- 72log2m 


Signed 
binary 
method [1] 


Max: ^log 2 m 
Aver age : g Z 0(72 TO 


log2m + 1 


Max: g89Zo(72TO -I- 72{log2m + 1) 
Average: g89Zo(72TO -I- 72{log2m + 1) 


64-ary 
method [1] 


Max:Zo(764TO 
Average: ^Zo 364 TO 


6/o(764m 


Max: 89 Zo(764TO + 72 * 4loge4m 
Average: ^89 Zo(764TO + 72* 4loge4m 


Signed 
64-ary 
method [1] 


Max:^Zo(764TO 

Average: 

6S65^0(764TO 


6loge4m 

+6 


Max: 

||89Zo(764m + 72* 6{logQ4m + 1) 
Average: 

fiSfi.>^89Zo6f64TO + 72* 6{logQ4m + 1) 


Our 

method 


Max: 

||Zo(764TO -I- 2logQ4in 
Average: 

(fiSfi,>S+2)^Off64TO 


3loge4m 

+3 


Max: 

^®(if +2 )Zo(764to)-|-72*3(Zo( 764TO -I- 1) 
Average: 

89(||-|-2)Zo(764TO-|-72*3(Zo(764TO -I- 1) 



To the 64-ary representation of m, we select the signed 64-ary representa- 
tion, then Ci € {—63, —62, • • • , 0, • • • , 62, 63}, and the number of non-zero Ci’s 
is smaller than that of 64-ary representation, so the amount of computation in 
the scalar multiplication will decrease, and computation will be speeded up. In 
algorithm 4, it needs pre-computing 125 elements. From the above table, we 
can see that our method needs less computation. So our method is better than 
the Signed Binary Method (or NAF) which is commonly considered as the best 
method at present. And the average ratio of the amount of computation of our 
method to that of the Signed Binary Method is 
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(89(6lf65^og64m+21og64m)+ 72*3 (log64m+l))/ (89|log2m+72(log2m+l)) 
«0.928 . 

Here m G [0, 2^®°], and the average size of m is 189 bit. 

This shows that the amount of computation of our method is decreased by 
7.2% compared with Signed Binary Method. We also have 

(89(6lf^log64m+21og64m)+ 72*3 (log64m+l))/(89g|f^log64m+72*6* 
(log64m+l))«0.915. 

This shows that the amount of computation of our method is decreased by 
8.5% compared with Signed 64-ary Method. 

The analysis and examples above reveal that the bigger the ratio of the 
amount of divisor addition to that of double divisor is the better is our method. 

6 Conclusion 

Because ECC and HCC have no sub-exponent time attacks at present, and their 
key is small, they are especially suitable for constrained computation power and 
memory such as Smart card and other cryptosystems products. At the same 
level of security, the based field of HCC is smaller than that of ECC, but from 
the existed implementation [12] [13] [14], the implementation speed of HCC is 
slower than that of ECC. So how to decrease the computation of points addition 
and scalar multiplication in Jacobian of hyperelliptic curve is the key step to 
speed up the implementation of HCC and make it practical. It will be very 
significant in practice even if there is only a little decrease in computation and a 
little improvement in the implementation speed. In this paper. Using Frobenius 
endomorphism as a tool we have studied the faster scalar multiplication, and 
proposed a new faster algorithms on Jacobian’s scalar multiplication of a class 
of specific curves. The analysis has shown that our algorithms’s computation is 
less than that of Signed Binary Method. Hence our method will have practical 
application in the implementation of HCC. 
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Abstract. Xinmei Wang [1] proposed a digital signature scheme based 
on error-correcting codes, and then a revised scheme was proposed in 
[6]. Some attacks on the operation of its basic form and some variations 
were given in [2, 3, 4, 5], and then an attack on Xingmei’basic scheme and 
Xingmei’s revised scheme based on a valid signature of a single message 
was given in [7]. In this paper, we give a totally trapdoor attack on 
Xinmei’s constructions. Our attack can obtain the equivalent private 
key just by some simple matrix computations given only the public key. 
Another scheme [10] proposed by Weizhang Du and Xinmei Wang uses 
two maximum rank distance codes. We will show that this later scheme 
is insecure against a known-message attack. 

Keywords: error-correcting code, digital signature, cryptanalysis 



1 Introduction 

It is well known that error-correcting codes can be used to construct public key 
encryption schemes [8, 9]. The key idea is that the efficient decoding algorithm for 
some code (such as Goppa code) can be made a secret given only the generating 
or parity check matrix of the code. The encryption is just adding random errors 
to the code words corresponding to messages. Only the person knowing the 
decoding algorithm can identify the errors and recover the plain-texts. Note that 
the one way function implicitly used in such an encryption scheme is the function 
which maps an error vector (with weight < t) to its syndrome vector. If the code 
admits an efficient decoding algorithm, then the efficient decoding algorithm is 
a trapdoor for this one way function. It is not straightforward to exploit this 
trapdoor one way function to construct signature schemes. The difficulty lies in 
the fact that there are no obvious methods to use the set of the said syndrome 
vectors to encode messages without using the error vectors. 

* Supported by 973-Foundation (No. G1999035804) and National Natural Science 
Foundation of Ghina (No. 69773015). 
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XinMei WANG [1] proposed a digital signature algorithm based on error- 
correcting codes not using the one-way function mentioned above. In this scheme, 
the signer uses some private matrices to act on a message plus an error vector 
in such a way that the message and the error satisfy some relation specified by 
the public matrices. The verifier use the public matrices to recover the error 
and then check if the expected relation holds. It would be quite mysterious that 
such matrices operations could produce onewayness. Previous attacks [2, 3, 4, 5] 
exploited the weaknesses in operations of the scheme. For example, it is possible 
[2] to combine some valid signatures of messages into a valid signature of another 
message, or its private key can be obtained by a chosen-ciphertext attack [3] if 
the cryptanalyst can get n+1 signatures of the same message (see also [6]). These 
attacks exploited the linear correlations between messages and their signatures 
or some assumptions on operation mode of the scheme, so can be defended if M is 
properly protected by a hash function. In fact, these attacks are ineffective to the 
revised scheme in [6]. The recent attack proposed in [7] broke the basic scheme 
[I] and its variations [6] in the sense that any receiver of a signature can forge 
signatures of arbitrary messages: the receiver can make valid signatures of any 
other messages based on only one signature of any single message. The attack in 
[7] can only forge signatures related to a given error vector associated with the 
known valid signature. This denies Xinmei’s construction as a signature scheme. 
It would be possible to use the algorithm in a challenge-response identification 
scheme where the error vector is used as the challenge of the verifier. In this 
paper, we show that such an application of the algorithm is still insecure. In 
fact, we can construct some matrices equivalent to the private key just from the 
public key, i.e., our attack is a totally trapdoor attack. 

Another signature scheme [10] using error-correcting codes is proposed by 
Weizhang Du and Xinmei Wang. The scheme does use the one way function 
associated with an error-correcting code. To circumvent the difficulty of message 
encoding mentioned above, the scheme restrict the errors to be code words of 
another error-correcting code C, and the C is kept secret. This restriction makes 
the above one-way function vulnerable to known message attacks. If we know the 
syndromes of some errors which span C, then we can find the error corresponding 
to any syndrome in the specified range just by linear algebra. 

2 Cryptanalysis of Xinmei’s Schemes 

2.1 Description of the Basic Xinmei Scheme 

Public key and Private key: Each user of the the basic Xinmei scheme chooses 
an (n,k,d) binary Goppa code or other linear binary error-correcting code Ca, 
which has a, k x n generator matrix G and the ability to correct t errors. The 
public key is the tuple ( J, W, T, H, t), where 

W = G*S~\ J = P-^W, T = P-^H', 

here S and P are invertible matrices of order kxk and of order nxn respectively, 
H is a {n — k) X n parity check matrix of Ca and H' is its transpose of order 




86 



D. Ye et al. 



n X n — k, and G* is an n x k matrix satisfying GG* = Ik, where Ik denotes the 
identity matrix of order k. The private key is the tuple (G, S, P). 

Signature Algorithm: To sign a /c-bit message M, the signer can compute the 
signature as follows: 

1. Choose an n-bit error- vector, denoted by iH, of Hamming weight less than t 
randomly, 

2. Compute G = {E + MSG)P. 

Then the signature for M will be C. 

Verification Algorithm: After getting the tuple {M,C), to verify whether C 
is a valid signature for M, the verifier can compute as follows: 

1. Compute S = CT, which turns out to be the syndrome of the error vector 
E, since S = GT = {E + MSG)PP~^H' = EH'. 

2. Recover E using a decoding algorithm (say, Berlekamp-Messay algorithm). 

3. Check if M = GJ - EW. 

The verifier accepts the signature G if M = GJ — EW, and rejects G otherwise. 

2.2 Cryptanalysis of the Basic Xinmei Scheme 

Matrix pair {P, A) regarded as the private key: Let A = SGP, then the 
signature for the message M is G = EP + M A, hence the matrix pair {P,A) 
can be regarded as the private key of the scheme. Let B = (T,J), the private 
key (P, A) satisfies the following equations 

PB = P{T, J) = P{P-^H', P-^W) = {H', W) 

and 

AB = A{T, J) = SGP{T, J) = SG{H', W) = (0, 4). 

We have the following proposition. 

Proposition 1 (Matrix pair (Pi,Ai) equivalent to private key): Any 

matrix pair (Pi,Ai), where Pi is an n x n matrix and Ai is an A: x n matrix, 
satisfying Pi(T, J) = {H', W) and Ai{T, J) = (0, 4), is equivalent to the private 
key. To be more precise, one can forge a signature of any fc-bit message M by 
using the pair (Pi, Ai) as follows: 

1. Take an n-bit error- vector E of weight w{E) < t randomly. 

2. Compute G = EPi + MA\. 

Then G is a valid signature of M. 

Proof: The verifier computes GT, which is exactly the syndrome of the error 
vector E since CT = {EPi + MAi)T = EH'. Then the verifier recovers E 
using the Berlekamp-Messay algorithm. Finally, note that GJ — EM = (PPi -I- 
MAi)J — EM = EW + M — EW = M, so G is a valid signature of M. 
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Computing a matrix pair (Pi,Ai) equivalent to private key: A matrix 
pair (Pi,Ai) which is equivalent to the private key can be computed using a 
generalized inverse of the matrix B = (T, J) as follows. Choose two invertible 
matrices R and Q of both order n such that 



RBQ 




and let 



B* 




R, 



then it is easy to check that B* is a generalized inverse of B in the sense that 
BB*B = B. Set Ai = (0,4)B* and Pi = {H',W)B*. Then we have 



Ai(T,J) = AiP = (0,/fc)P*P = APP*P = AP = (0,/fc), 

Pi(P, J) = P^B = {H', W)B*B = PBB*B = PB = {H' , W), 

so (Ai, Pi) is a matrix pair equivalent to the private key by Proposition 1. 



2.3 Cryptanalysis of the Revised Xinmei Scheme 

In the basic Xinmei scheme, messages and signatures (including the error vector) 
are linearly correlated. This makes it vulnerable to various attacks of operational 
type, such as the well-known broadcast-attack and homomorphism-attack. The 
standard technique to defend these attacks is to hash the messages before sign. 
A revised scheme [6] applies this idea to the basic Xinmei scheme, which just 
replace M with h{E, M) in both the signature and verification algorithms, where 
/i(*, *) is a Hash function. It is easy to see that (Pi, Ai) constructed above can 
be used to sign any message in the revised scheme just as in the original scheme. 

3 Cryptanalysis of Du and Wang’s Scheme 

Weizhang Du and XingMei Wang proposed a signature scheme based on maxi- 
mum rank distance codes in [10]. In this section we show how to crack the scheme 
with a known-message attack. 



3.1 Description of Du- Wang’s Scheme 

Public key and private key: User Alice chooses a linear (n, n — r) code V 
with r{V) > 2^2 over the finite field F^n , and chooses another linear {n' ,k') 
code C over FqN with t\ < r(c) < t 2 ic € C. Here r(c), c = (ci, C2, • • • , Cn'),Ci G 
FqN , is defined as the dimension of the linear space spanned over Fq by all the 
components Ci, 1 < i < n', of c, and r(C) = min{r(c) j c G C} which is called 
as the minimum rank distance of the code C, similarly for r(V). Let be a 
parity matrix of the code V, which is a r x n matrix over FqN , and let G be a 
generating matrix of the code G, which is a fc' x n' matrix over FqN. Select a 
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subset J = {ji I < i < n'} of n' elements in the set {1, 2, • • • , n}, and assume 
1 < ji < j 2 < • • • < jn' < n. We denote by Hj the r x n' submatrix of H, which 
is consisting of the columns of index belonging to J, and let F = FljG'. Let / be 
a hash function from F*j^ to , where F^jv is the set consisting of all fc'-tuples 
over FqN (written in row), and F*jv is the union of all F^,V) * > 1- The public 
key of Alice is (F, F), and her private key is (G, J). 

Signature Algorithm: For any message m € FqN, Alice’s signature is e = 
(ei,e 2 , - • • ,e„) S F”„, where • • • ,6^-^,) = f{m)G and Cj = OVj ^ J. 

Verification Algorithm: The verifier accepts e as a valid signature of m if and 
only if the two conditions Fe’’ = F f{mY and tx < r(e) < t 2 hold true. 

3.2 Cryptanalysis on Du- Wang’s Scheme 

Proposition 2: The attacker can forge a signature for any message if he gets 
the signatures for approximately 0{k') messages as follows. Suppose he gets k' 
messages whose hash values /(m^) G FY, 1 < * < are linearly independent 
over FqN, or equivalently, if the corresponding k' signatures sig{mi) = e*, 1 < 
i < k' , linearly independent over F^n. Then for any message m, the tuple e = 
f{m)<P~^E is the valid signature, where 





/ f{mi) \ 




(ex\ 




f{m2) 




e2 






, E = 










VSfc'/ 



Proof: We have 

HY = FF^(^-i)^/(m)^ 

= , el, )(<?")- VM" 

= {Hel,HeY--- , f{mY 

= {Ff{mxY,Ff{m2Y,--- , F/(mfe, )")(<?")- 
= F^'^{<P^Y^f{mY 
= Ff{mY- 

And it is clear that e = is in the subspace spanned by = f{rrii)G G 

G, hence e G G, and then G < r(e) < G) which is the property assumed for 
the code G. The above two facts show (m,e) passes the verification algorithm, 
hence e is the valid signature for m. 

4 Conclusion 

We conclude that Weizhang Du and Xinmei Wang’s constructions for digital 
signature schemes based on error-correcting codes are not secure. It remains 
open to design secure and practical signature schemes using the one way function 
originated from the theory of error-correcting codes. 
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Abstract. In electronic commerce, traded digital objects are likely asso- 
ciated with several numerical values as well as their prices. These values 
may change unpredictably over time and bring risks both to the providers 
and to the consumers of the application. One possible strategy for hedg- 
ing the risks is to introduce derivatives regarding the uncertain values. 
This paper shows a theoretical pricing equation of the derivatives when 
the underlying digital objects have systematic default or revocation risks. 
We can make use of this pricing to estimate the risks. 



1 Introduction 

With the help of applied cryptography, we are going to trade more and more 
digital objects over an open network. Since digital objects can keep their orig- 
inal bit strings virtually forever, one may expect that there would be no risk 
of change. This is, unfortunately, not always the case. Digital objects can have 
not only prices but also other important numerical values. For example, digital 
certificates may have confidence values or trust metrics [1]. Access-grant tick- 
ets may have priority numbers or QoS (Quality-of-Service) values [2] reserved. 
Digitally-watermarked images [3] may have innocence values about their origins 
in terms of copyright protection. Any product may be associated with some in- 
surance contracts [4]. Reward points may be attached. Those additional values 
and their effectiveness may change unpredictably over time and cause risks. At 
the worst case, the values get into defaults {e.g. the corresponding certificate is 
revoked) and the holder may have a large financial damage. 

A popular way for hedging such stochastic risks is to introduce derivatives or 
options written on underlying assets, typically regarding their prices. In financial 
theory, encouraged by the seminal paper by Black and Scholes [5], option-pricing 
theories have been developed a lot. Most of them use assumptions including di- 
visibility of the underlying assets, which is not trivial in the case of the digital 
objects. Thus we are motivated to study option pricing with models and as- 
sumptions suitable for digital objects. The rest of this paper consists of model- 
ing (Sect. 2), pricing (Sect. 3), discussion including an application (Sect. 4), and 
conclusions (Sect. 5). 
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Fig. 1. A network commerce architecture where boxes with wider lines indicate that 
the entities inside are more trusted. 



2 Objects with Default/Revocation Risks 

Our model is based on an architecture illustrated in Fig. 1. 

(Object Provider.) Copyright management and related technical mainte- 
nance are difficult and non-trivial tasks. So are management and main- 
tenance of network-security infrastructure {e.g. public-key infrastructure). 
These tasks may require sufficient trustworthiness and reliability. We need 
specialized entities. They would be happier if the objects they provide are 
distributed and circulated more frequently in larger amounts; it would im- 
prove their reputation and/or make attached advertisement more profitable. 
(Object Server.) Selling digital objects to untrusted customers through poor 
communication channels is difficult task, too. We need specialized entities. 
(Customer.) We do not trust individuals in terms of (i) their own behaviour, 
(ii) their financial situation, and (iii) resources (for communication and com- 
putation) available to them. 

In a network life, we would want to pay for digital objects in electronic cash. 
Such digital payment systems could be more efficient if the monetary value of 
each coin is less granular [6]. Therefore, if we want to allow as wide variety of 
electronic cash systems as possible, highly discrete (z.e. very sparse) prices would 
be helpful. So we firstly assume an object whose price is fixed. For notational 
simplicity, we assign this fixed price as the unit of network currency. Also for 
simplicity, we assume each share of the object has a single value. This value is 
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represented by a stochastic random variable H{t). We assume that its dynamics 
is given by 

dH = fi{t,H{t))Hdt + a{t,H{t))HdW (1) 

where and a{t,H{t)) are adapted processes and W is a Wiener process 

under the objective measure. 

We assume a value-proportional tradability; the holder of a share of the 
object can sell it at a value-proportional price Sp defined by 



Spit) 



V 

W) 



( 2 ) 



whenever he wishes as long as no default occurs. V is the nominal value of the 
share, which is equal to H{to) where to is the time the share is issued. 

The default/revocation is assumed to happen according to a Poisson process 
with intensity A. Once the Poisson event occurs, the value-proportional trad- 
ability is ruined but the holder can refund his share for the original unit price. 
Different from the conventional financial market, we do not assume the divisi- 
bility of the object. We do not assume that we can go short for it, either. Also 
different from the conventional financial market, we assume that the Poisson 
process represents a systematic risk which can fully appear in the risk premium. 
As for other issues, we assume a typical liquid and arbitrage-free market [7] . 

The derivative we study here is a European call option written not on the 
price but on the value as follows. We assign the issuing time of the option as the 
time origin (t=0) for notational convenience. 



Definition 1 (A European Call). A European call option on the object is a 
derivative which provides a right to buy one share of the object with a reserved 
value K at a particular time Tm in the future for its fixed price, 1, regardless of 
the up-to-date value i7(Tm) at t = Tm- The reserved value K is called the strike 
value, and Tm is called the maturity. 



Let C{f) = c{t,H{t)) be the price process of the call option. As a continuous- 
time model, we place the following mathematical assumptions. 

— The function c{t, h) is a C^’^-mapping in the domain x i?++, and c(t, 0) = 
0 for all t G il+. R++ is the set of positive real numbers and R+ is the set 
of non-negative real numbers. 

— The price process of the riskless asset is described by dB{t) = rfB{t)dt, 
where the short rate r/ is a deterministic constant. 



3 Pricing 

By establishing a riskless portfolio composed of one share of the digital object 
and adjusted amount of options, we can reach the following pricing theorem. 
Due to the space limitation, the full proof [8] is not given here. 
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Theorem 1 (Boundary Value Problem for Pricing). The only pricing 
function of the form C{t) = c{t, H{t)) is obtained when 

„(f m-l c{t,l/h) for > 0 
^ ’ ’ \ 0 for = 0 

and c{t, g) is the solution of the boundary value problem 
^2 

-^g^Cgg + (rf - X)gCg - (r/ + A)c + ct = 0, c(Tm,g) = max{0, Kg - 1} 
in the domain [0,Tm] x -R++. 

4 Discussion 

4.1 Jump Processes 

We derived Theorem 1 by using a systematic risk assumption. This is different 
from the conventional finance [9]. The conventional nonsystematic-risk assump- 
tion is an extreme assumption and there have been a lot of arguments about it 
[11]. In fact, jumps observed in stock prices are reported to be systematic across 
the market portfolio [12]. Heuristically speaking, the more similarly network en- 
tities look at the default/revocation risk, the better model our choice would give. 
Our choice could go better with the recent trend in the public-key infrastructure 
toward a single-directory system [13], [14]. 



4.2 Application 

According to Theorem 1, the option price depends on cr, Tm, rp, h, K, and the 
risk of default/revocation A. This suggests that the market data (C, a, T^, rf, 
h, K) may help us with an indirect measurement of the risk A. This needs an 
inverse estimation, which may be too heavy. However, if what you want to do is 
just to see whether A exceeds a certain value, say, Aq, then you may be able to 
use a more practical strategy. That is, in the region where C is locally monotone- 
increasing/decreasing with respect to A, the following procedure without repeat 
is worth a try. 

1. By using recent market data, estimate the short rate r/ and the volatility cr. 

2. Set A = Aq. 

3. Solve the boundary value problem in Theorem 1. 

4. Compare the result with the current option price data. 

5. By using a tool for statistical test, examine whether you can say the com- 
puted price is higher(monotone-decreasing case) /lower (monotone-increasing 
case) than the observed price with sufficient probability. 

6. If the answer is Yes, think of it as an alarm. 
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5 Concluding Remarks 

We described an E-commerce architecture and a simple model of digital objects; 
each object has an abstracted value as well as a fixed price. The value can change 
stochastically and can be ruined at the worst case. The object is not divisible and 
we cannot go short for it. A European call option written not on the price but 
on the value was introduced. A PDE for pricing the option was derived. In the 
discussion, applications of the pricing were studied: to estimate the probability 
of revocation and to detect an alarm of high probability. 

References 

1. Reiter, M. K., Stubblebine, S. G.: Resilient Authentication Using Path Indepen- 
dence. IEEE Trans. Comput. 47 (1998) 1351-1362 

2. Xiao, X., Ni, L. M.: Internet QoS: A Big Picture. IEEE Network. 13 (1999) 8-18 

3. Katzenbeisser, S., Petitcolas, F. (eds.): Information Hiding Techniques for 
Steganography and Digital Watermarking. Artech House Publishers, Boston Lon- 
don (2000) 

4. Reiter, M. K., Stubblebine, S. G.: Authentication Metric Analysis and Design. 
AGM Trans. Info. & Sys. Security 2 (1999) 138-158 

5. Black, F., Scholes, M.: The Pricing of Options and Gorporate Liabilities. J. Political 
Econ. 81 (1973) 637-654 

6. Eng, T., Okamoto, T.: Single- Term Divisible Electronic Goins. In: De Santis, Al- 
fredo (ed.): Advances in Gryptology — EUROGRYPT’94. Lecture Notes in Gom- 
puter Science, Vol. 950. Springer- Verlag, Berlin Heidelberg New York (1995) 306- 
319 

7. Bjork, T.: Arbitrage Theory in Gontinuous Time. Oxford University Press, New 
York (1998) 

8. Matsuura, K.: Security Tokens and Their Derivatives. Technical Reports, Gentre 
for Gommunication Systems Research, University of Gambridge (2001) 

http: //www. ccsr . cam. ac.uk/techreports/tr29/ index.html 

9. Merton, R. G.: Option Pricing When Underlying Stock Returns are Discontinuous. 
J. Financial Econ. 3 (1976) 125-144 

10. Sharpe, W. F.: Gapital Asset Prices: A Theory of Market Equilibrium under Gon- 
ditions of Risk. J. Finance 19 (1964) 425-442 

11. Golwell, D. B., Elliott, R. J.: Discontinuous Asset Prices and Non- Attainable Gon- 
tingent Glaims. Math. Finance 3 (1993) 295-308 

12. Jarrow, R. A., Rosenfeld, E. R.: Jump Risks and the Intertemporal Gapital Asset 
Pricing Model. J. Business 57 (1984) 337-351 

13. Buldas, A., Laud, P., Lipmaa, H.: Accountable Gertificate Management Using Un- 
deniable Attestations. In: Proc. 7th AGM Conf. on Gomp. & Comm. Security, 
Athens (2000) 9-18 

14. Gassko, L, Gemmell, P. S., MacKenzie, P.: Efficient and Fresh Certification. In: 
Imai, H., Zheng, Y. (eds.): Public Key Cryptography — PKC 2000. Lecture Notes 
in Computer Science, Vol. 1751. Springer- Verlag, Berlin Heidelberg New York 
(2000) 342-353 




A New Approach for Secure Multicast Routing 
in a Large Scale Network 



Young-Chul Shim 

Hong-Ik University Department of Compnter Engineering 
72-1 Sangsudong, Mapogu Seoul, 121-791 Korea 
ShimScs . hongik . ac . kr 



Abstract. This paper presents an approach for providing security ser- 
vices for multicasting using PIM-SM and BGMP routing algorithms. 
Members and senders are authenticated and receive/use proper capabil- 
ities when they join a multicast group so that illegal hosts or routers 
may not be able to expand the multicast delivery tree. Messages are en- 
crypted with either a group data key or sender specific key that is shared 
by all members and changed efficiently whenever a membership changes. 
So not only illegal hosts cannot read packets but also members cannot 
read packets exchanged before they join the group or after they leave 
the group. The authenticity of a packet is checked by the edge router 
of the sending host and then by the core routers to efficiently thwart an 
illegal host or corrupt router’s attempt to inject a bogus packet or replay 
a packet. . . . 



1 Introduction 

Multicasting has been used in many application areas and is becoming more 
important as an enabler for providing many new services in the Internet [1]. In 
multicasting data delivery trees are built by multicast routing algorithms and 
data packets are transmitted along the data delivery trees. Multicast routing 
algorithms are classified into intra-domain algorithms such as PIM-SM [2] and 
inter-domain routing algorithms such as BGMP [3]. 

The attacks to multicast delivery trees can be classified into edge attacks and 
internal attacks [4]. An edge attack originates from a host connected to a router 
at the leaves of a delivery tree. There are two types of edge attacks as follows. 

— EAl - Sender attacks: the delivery tree is attacked by the hosts sending bo- 
gus data packets to the group with the correct multicast address, thereby 
causing the packets to be sent to all receivers in the group. This attack con- 
sumes bandwidth, since the packet would be delivered to all host-members. 
Although such attacks are possible also within unicast, the impact is mag- 
nified in multicast due to the replication effect within the distribution tree. 
Such hosts may also send bogus control packets. 

— EA2 - Receiver attacks: non-members simply join the group, causing the 
tree to expand and for multicast traffic to be forwarded to the non-member. 



S. Qing, T. Okamoto, and J. Zhou (Eds.): ICICS 2001, LNCS 2229, pp. 95—106, 2001. 
(c) Springer- Verlag Berlin Heidelberg 2001 




96 



Y.-C. Shim 



Even if the traffic content is encrypted from the source, the encrypted pack- 
ets would still be forwarded regardless, thereby consuming bandwidth. The 
attackers then simply discard the encrypted message. 

In internal attacks, the attacks originate from within the tree, either from a 
compromised router or from a tapped-line. Two types of internal attacks are as 
follows. 

— lAl - Data attacks: the attacker injects bogus data packets into the data 
stream. The attack can be aimed at the subtree of members downstream 
from the point of attack, or the attacker can perform a sender attack(EAl) 
with the result of the bogus data packets being received by all members of 
the group. 

— IA2 - Control attacks: the attacker injects bogus control packets destined 
for other routers participating in the multicast distribution tree. The aim 
of this attack would be either to confuse and cripple the distribution or to 
influence the behavior of the distribution tree. Note that this kind of control 
attacks may also originate from the edge. 

Now we explain the issues that we have to consider when we develop security 
mechanisms to guard against the attacks mentioned above. 

— Dynamic environment: A multicasting group can be dynamic. It means that 
senders and receivers can join and leave the multicast group during the 
existence of the group. A newly joining member should not be able to capture 
the packets exchanged before its join and decipher them with the key that 
it receives when it joins the group. A leaving member should not be able to 
capture the packets exchanged after its leave and decipher them with the 
key that it possessed before it leaves the group. This means the message 
encryption key should be changed whenever a member joins or leaves a 
multicast group. And there are two cases how a member leaves a multicast 
group. It can leave the group voluntarily or be evicted due to its suspicious 
activity. Both cases should be considered. 

— Member semantics: There are two types of participants in a multicast group. 
They are members and senders. Members can both send and receive multi- 
cast packets while senders can only send multicast packets. This means that 
each sender should have its own sender-specific key and this key should be 
distributed to all the group members. 

— Scalability: The proposed security mechanism should be efficient so that it 
can be applied to a multicast group consisting of a large number of members. 
Moreover, the overhead incurred upon the routers on the delivery tree should 
be minimized. Especially the overhead on the border routers that connect 
two or more adjacent domains should be minimized because they have to 
handle tremendous amount of packets crossing domain boundaries. 

— Required security services: The security services required for multicasting 
include authentication, access control, confidentiality, and integrity so that 
only legal hosts can join the multicast group and send/receive multicast 
packets. 
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There have been many related works on the multicast security. Ballardie has 
presented the scalable multicast key distribution scheme (SMKD) as part of the 
CBT multicasting architecture [5] . He proposes a scalable approach to authenti- 
cate a joining member and distribute a multicast key to that new member. But 
the key is static and the approach does not have any other security measures. 
There are many works on scalable approaches for distributing new multicast 
keys as the group membership changes. Mittra[6] proposes a key distribution 
approach based upon hierarchies of multicast domains while Wong et al[7] in- 
troduces a key distribution mechanism based upon hierarchies of multicast keys. 
All the works in this category just present the scalable key distribution method 
and provide no other multicast security services. Recently Shields and Garcia- 
Luna-Aceves proposed a scalable protocol for secure multicast routing [8]. The 
proposed mechanism provides security measures guarding against both edge at- 
tacks and internal attacks explained above assuming the hierarchical multicast 
routing algorithm called HIP. It changes the multicast key when membership 
changes. But it does not either consider the eviction of a member/sender or pro- 
vide ways to generate/distribute sender-specific keys. Moreover all the message 
replay attempts are thwarted at the border routers and, therefore, the overhead 
on the border routers can become very heavy when there are many attempts to 
replay multicast packets. 

In this paper we present a new approach for scalable secure multicast routing 
in a very large scale network. We assume the use of PIM-SM and BGMP. Our 
approach provides security measures to guard against both edge attacks and 
internal attacks and provides all the required 4 security services. It has a mecha- 
nism for efficiently changing the multicast key as the membership changes. The 
proposed approach can evict ill-behaving members and/or senders securely and 
also supports the distribution of sender-specific keys. It tries to eliminate the 
flooding attempts at the edge routers as much as possible so that the overhead 
on the border routers can be reduced. The rest of the paper is organized as 
follows. In Section 2, we explain the multicast routing algorithms on which our 
security protocols are designed. Section 3 describes what kinds of keys are used 
and how they are structured in our approach. Section 4 presents secure protocols 
for building and maintaining multicast trees, and sending packets, and Section 
5 is the conclusion. 



2 Multicast Delivery Trees 

In this section we describe the multicast delivery trees that are built by the 
routing algorithms, PIM-SM and BGMP. A multicast tree can be considered as 
a hierarchy of domains. The domain that includes the center point, that is the 
root of the whole multicast tree, is designated as the root domain and other 
domains form a tree with this root domain as the tree root. The connections 
between domains are created by the BGMP. In a domain that wishes to join 
the multicast tree, there is one border router that has the shortest path to 
the existing multicast tree and that border router is the best exit router of that 
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Fig. 1. Multicast Delivery Tree in a Hierarchy of Domains 



domain. This best exit router communicates with the external peer border router 
in the neighboring domain, which is already on the multicast tree, toward the 
root domain. This neighboring domain is called the parent domain of the new 
domain and the neighboring router in this domain is called the parent router of 
that best exit router. A bi-directional path is formed between these two border 
routers using BGMP. The best exit router of the new domain becomes the core 
of that domain and all the group members and routers in that domain build an 
intra-domain multicast tree around this core using PIM-SM. 

Figure 1 shows an example of a delivery tree. The network is divided into 
6 domains from A to F. Square boxes, Rai, Ra2, Rbi, Rci, Rc2, Res, Rc4, 
RdI) Rei, and Rpi are border routers. Diamonds, Ra3> Rb2, Rb3, Rd2> Re 2, 
and Rf 2, are edge routers. Rounded boxes, Hmi, Hm2, Hm3, Hm 4, and Hm 5, are 
member hosts while Hsi is a sender host. The router, Rcenter, in the domain 
A is the center point of the whole delivery tree and is called the center router. 
The domain A becomes the center domain. The solid lines between two border 
routers in adjacent domains are the bi-directional delivery paths built by the 
BGMP. The delivery tree in each domain is built as a shared unidirectional tree 
by the PIM-SM algorithm. These intra-domain delivery trees are represented as 
dotted line trees in the domains A through E. And the routers, Rcenter, Rbi, 
Rci, Rdi, and Rei are core routers in each domain. The edge routers are the 
leaf routers in the delivery tree and are connected to the member hosts. For a 
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host to be able to send packets to the delivery tree, there should be a packet 
delivery path from the edge router of this sending host up to the center router. 
In the figure the member hosts Hmi and Hms are also senders. The solid arrow 
lines in each domain from these hosts toward the center router are the sending 
paths. The host Hsi is a sender but not a member. Although there is no delivery 
path toward Hsi, there is a sending path from Hsi toward the center. 



3 Key Management Structnre 

In addition to the public key and private key pair owned by each host or router, 
we use the kinds of keys for secure multicast routing as follows. 

— Group Data Key(GDK) : This symmetric key is generated by the center and 
shared by all group members. All members and senders encrypt packets with 
this key. It is changed whenever a member joins or leaves so that a leaving 
member cannot read any packets exchanged after it leaves and a joining 
member cannot read any packets exchanged before it joins. 

— Domain Gontrol Key(DGK) : This symmetric key is generated by the center 
in the center domain and by the core router in all other domains. It is shared 
by all leaf nodes of a domain. The leaf nodes of a domain are the member 
hosts in that domain and the core routers of all the child domains of that 
domain. It is changed whenever there occurs a change in the set of the leaf 




Fig. 2. Key Management Structure 
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SSK.' SSK.' SSK' 
DCK-iy DCK-D' DCK-D' 

(a) After joins 




DCK-D" DCK-D" 
(b) After Hj^j leaves 



Fig. 3. Usage of Domain Control Keys 



nodes of a domain. Its purpose is to efficiently distribute a new group data 
key to all the leaf nodes. 

— Sender Specific Key(SSK) : This symmetric key is generated by the center 
whenever a new non-member sender joins the group. It is shared by the non- 
member sender and all group members. Different non-member senders re- 
ceive different sender-specific keys. The packet sent by a non-member sender 
is encrypted with the sender-specific key of that sender. This key is changed 
whenever a member joins or leaves the group. 

Figure 2 shows keys possessed of by hosts and routers. Here, we explain how the 
domain control key is used. Assume that a new member Hm 6 in the domain D 
joins the group. Then the core router in that domain Rdi changes the domain 
control key from DCK-D to DCK-D’ and sends it to all leaf nodes of the domain 
D. In this case the leaf nodes are Hm 4 , Hms, and Hm 6- One effective method of 
distributing this changed domain control key is to use limited multicast to Hm 4 
and Hm 5 and unicast to Hm 6- Then the center distributes the new group data key 
GDK’ and the new sender specific key SSK’. Rcenter encrypts it with its domain 
control key DCK-A and multicasts it. When a core router receives this encrypted 
key from its parent domain, it decrypts with the domain control key of the parent 
domain, encrypts again with its domain control key, and multicasts the result. So 
Rci receives (GDK’, SSK’)^®^“^ from the domain A, decrypts with DCK-A, 
encrypts with DCK-C, and multicasts (GDK’, SSK’)'^^^”^ along the delivery 
tree. Likewise RdI receives (GDK’, SSK’)^*^^“*^ from the domain C, decrypts 
with DCK-C, encrypts with DCK-D’, and multicasts (GDK’, SSK’)^^^”'^ . All 
the leaf nodes in the domain D receive this packet, decrypt it with DCK-D’, and 
retrieve the new group data key GDK’ and the new sender specific key SSK’. 
The result is shown in the Figure 3 (a). 

The figure 3 (b) shows the case after the member Hms left the group. The 
core router R^i changes the domain control key from DCK-D’ to DCK-D” and 
securely unicasts it to all the valid leaf nodes in the domain, Hm 4 and Hm 6- 
Then the new group data key GDK” and the new sender-specific key SSK” are 
generated and distributed as in the previous case. 
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4 Protocols for Secure Multicast Routing 

In this section we describe protocols to build and maintain multicast delivery 
trees and send packet over this tree securely. We use the following notations. 

— PK-A : the public key of A 

— SK-A : the private key of A 

— MK : a message M encrypted with a key K 

— H(M) : the hash of a message M 

— : a message M along with a signature generated with A’s pri- 
vate key. So if we use the RSA algorithm for the signature, it becomes M, 
(H(M))SK-A, 

And we assume the existence of the following entities. 

— AS : Authorization service. Its main job is to distribute capabilities on 
request. There are four types of capabilities : Initiator, Center, Member, 
and Sender. A capability for a host or router, E, in a multicast group with 
a multicast IP address, MA, has the following format 

CAPe = {IPe, PK-E, MA, Permit, TS, Life}®^-^® 
where IPe is the IP address of an entity E and the Permit is the permit 
allowed for E. The permit can be Initiator, Center, Member, or Sender. 
The TS (timestamp) shows when this capability was created and the 
Life (lifetime) specifies when this capability expires. We assume that all the 
hosts and routers know its public key 

— I : Group initiator. It is the creator of a multicast group. It starts with an 
access control list for the group. An access control list is an ordered set of 
a tuple (name, permit). There are three types of permits : Center, Member, 
Sender. 

— CP : Center point of the whole tree and this corresponds to the center router, 

PCenter- 

— C: Core of a domain. It is the border router acting as the core for a PIM-SM 
shared tree within a domain. 

— E : An edge router 



4.1 Building a Multicast Tree 

To start a secure multicast session, the initiator must first authenticate itself 
through AS and get the capability as an initiator, I-CAP (initiator capability), 
from AS. Then the initiator sends the access control list to AS. The access control 
list tells who is the center, who can be the members, and who can be the senders. 
Upon receiving the access control list, AS retrieves each tuple from the list and 
makes a capability using the information stored in the tuple. So receiving the 
following access control list for a multicast group with the IP address, MA, 
((CP, CP-Permit), (A, M-Permit), (B, S-Permit)) 

AS generates the capabilities as follows and sends them securely to the initiator. 
CP-CAPcp = {IPcp, PK-CP, MA, CP-Permit, TS, Life}®^"^® 
M-CAPa = {IPa, PK-A, MA, M-Permit, TS, Life}®^-^® 

S-CAPb = {IPb, PK-B, MA, S-Permit, TS, Life}®K-AS 
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After receiving the capability list from AS, the initiator contacts the center 
point and authenticates it. Then the initiator sends a packet to the center point 
and asks it to start building a delivery tree. The center point checks validity of 
this message by checking the signature of this message and the initiator capability 
stored in the message. The following packet is sent from the initiator to the center 
point. 

I ^ CP : {Create a tree, IPp MA, CP-CAP, I-CAP}Sk-i 
N ote that the packet also includes the center point capability. The center point 
retrieves this capability and stores it. One of the major jobs of the center point is 
to generate and distribute new group data key and sender specific keys whenever 
a membership change occurs. The packet carrying these new keys should also 
include the center point capability and be signed with the private key of the 
center point. Any node that retrieves the keys from this packet can verify that 
the packet was generated from the center point by checking the center point’s 
signature and capability. 

Now we explain what happens when a member wants to join a multicast 
group as a receiver. First a member host M contacts the initiator, authenticates 
itself, and receives its capability as a member, M-CAPm. We assume that there 
are mechanisms which enable a member to obtain the location of the initiator 
and the core of the domain in which it belongs. We also assume that the cores 
can be trusted. M sends a join request as a member to its core C as follows : 

M — >• C : (Join- Request, IPm, MA, M-CAPm}®^“^ 

The core authenticates the received packet and checks the requesting host has a 
member host capability. The core changes its domain control key from DCK to 
DCK’ and multicasts it to the leaf nodes in its domain. Then the core sends the 
following join acknowledgement message back to the member. 

C M : (Join-ACK, IPm, MA, dCK'PK-M}SK-c 
A s this join acknowledgement message travels from the core toward the member 
host, a multicast path toward the edge router of the member host is created. The 
member host receives the packet and retrieves/stores the new domain control 
key. After sending the join acknowledgement packet to the member host, the 
core contacts the center and requests a new group data key to be created. Upon 
receiving this request the center creates a new group data key and multicasts it 
to all the members using the mechanism explained in Section 3. 

Now we explain what happens when a member host wants to send a packet to 
the group. We assume that this member has already joined the multicast group 
as a receiver. This member host sends a sender join request to its edge router E 
along with a random number which it will use as the initial value for the packet 
sequence number as follow. 

M ^ E : (Sender- Join-Req, IPm, MA, SEQ#, M-CAPm}®^”“ 

The purpose of this sequence number is to thwart any multicast packet replay 
attack by a host connected to this edge router. The edge router includes its 
identity in this request and sends the resulting message to the core as follow. 
The identity of the edge router enables the core to evict this member sender 
with the cooperation of the edge router if necessary. 

E ^ C : {{Sender- Join-Req, IPm, MA, SEQ#, M-CAPm}®^”“, IPe}®^”® 
Upon receiving this request, the core checks the capability of the sending host 
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and finds the requesting host is a member. The core stores the information, (MA, 
IPm, SEQ^m, IPe), in its sender information table. This means that the member 
sender IPm has sent to the multicast group MA the packets with the sequence 
number up to SEQ#m and its edge router has the IP address IPe. So any packet 
sent later by this member sender should have a sequence number greater than 
SEQ#m- Then the core sends the following acknowledgement message back to 
the member host and a multicast packet sending path from the edge router of 
the requesting host to the core is established. 

C ^ M : {Sender-Join-Ack, IPm, MA, SEQ#m}®^”° 

This packet is first caught by the edge router and then sent to the member host. 
The edge router stores in its sender information table the information, (MA, 
IPm, SEQ^m) Now we explain how a non-member sender joins a multicast 
group. The procedure is the same as in the previous case except after the core 
receives the sender join request packet. Upon receiving the request, the core 
checks the capability of the sending host and finds that the requesting host is a 
non-member. The core notifies of the center point that a new sender S has joined 
the group as a sender. The center generates a new sender specific key, unicasts 
it to the sender, and securely multicasts it to all the members. Then the core 
stores the information, (MA, IPs, SEQ^^^^S, IPe), in its sender information table. 
Then the core just sends the following acknowledgement message back to the 
non-member sender. 

C ^ S : {Sender-Join-Ack, IPs, MA, SEQ#s}®^-° 

This packet is first caught by the edge router and then sent to the non-member 
host. The edge router stores in its sender information table the information, 
(MA, IPs,SEQ#s), as in the case of the member sender. 



4.2 Sending a Multicast Packet Securely 

In this subsection we explain how a packet flows from a sender to group mem- 
bers securely. A member sender or non- member sender, S, which wants to send 
a message, D, to a group, multicasts the following packet. 

|DK}Sk-s^ {IPg^ SEQ#s, H(|dK}Sk-S)}Sk-s 

Here the symmetric key, K, is the group data key for the member sender or the 
sender specific key for the non-member sender depending upon if the sender is a 
member or not. The purpose of sending the signed message, in the 

first part of the packet is to enable any receiving member to check the authentic- 
ity of the packet. This packet is received by the edge router first. The edge router 
checks the second part of the packet with the public key of the sender. It checks 
the authenticity of the packet by calculating the hash of the first part of the 
packet and comparing it with the hash in the second part. The IP address in the 
second part tells who signed this second part. It also checks the sequence number 
of the packet by comparing with the sender’s sequence number that it stored in 
its sender information table whose entry has the form of (MA, IPs, SEQ:;(^s)- H 
the number in the packet is not greater than that in the table, the packet is 
rejected as an attempt to replay a previously sent packet. This checking at the 
edge router prevents any host connected to the same edge router from replaying 
or injecting false packets. Otherwise the edge router updates the sequence num- 
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ber in the table with that in the packet and then sends the packet toward the 
core. The core again checks the authenticity and freshness of the packet using 
the same method as the edge router. If the packet does not pass either of these 
two tests, it is discarded. This additional checking at the core router tries to 
prevent any corrupt router’s attempt to replay or inject bogus packets along 
the sending path in the domain. If the checking succeeds, the core replaces the 
address and the sequence number in the second part with its address and its 
sequence number and sends the following packet along the multicast delivery 
trGG 

{DK}Sk-s^ {IPc, SEQ#c, H({DK}Sk-S)}Sk-c 
After sending this packet, the core router updates the sequence number in its 
sender information table like the edge router. This packet is sent to all the mem- 
bers in the core’s domain. It is also sent to the core routers in the neighboring 
domains that are participating in the delivery tree. These core routers again 
checks the authenticity and freshness of the packet, replaces the address and 
sequence number of its own, and forwards it along the tree. 

Now we explain why the sequence number is changed at a core router. The 
purpose of this is to efficiently prevent any replayed or bogus packets from being 
transmitted to the neighboring domain. Any packet that is either generated in 
a domain or coming up from its child domain is given the sequence number of 
the core router in this domain and then sent to the parent domain. To check 
the freshness of this packet, the core of the parent domain just need remember 
the sequence number of the child core that sent the packet. Unless we substitute 
the sequence number at the core router, the core router should remember the 
identity and sequence number of all the senders in the whole multicast group. 
In our scheme, the core just need remember the identity and sequence number 
of the senders in its domain and the cores in the child domains. Likewise, to 
prevent replayed or compromised packets from being spread to the downstream 
domain, a core router should know the sequence number of the core router of 
its parent domain and change the sequence number of its parent core to its own 
before distributing the packet along the tree. In summary a core router should 
remember the sequence number of not only senders in its domain but also all 
the cores in the neighboring domain. 



4.3 Members and Senders Leaving a Multicast Group 

If a member which is not a sender wants to leave a multicast group, it sends such 
a request to its core. The core changes the domain control key and sends it to all 
the leaf nodes in the domain except the leaving member. Then the core informs 
the center point of the leaving member. The center point changes the group data 
key and all the sender specific keys and multicasts them to all the members in 
the group. Each new sender specific key is unicast to the corresponding non- 
member sender. If a member sender wishes to leave a group and sends such a 
request to its core, the core and the center point do the exactly same thing as in 
the above. But the core also deletes information about the leaving member from 
its sender information table and tells the member’s edge router to do the same 
thing. If a non-member sender wants to leave a group and sends such a request 
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to the core, the core and the edge router deletes information about that sender 
from their sender information table. The core also informs the center point of 
the leaving sender and the center multicasts to all the members a message to 
throw away the sender-specific key of the leaving sender. 



4.4 Evicting Member Senders or Non-member Senders 

If a suspicious activity is found in a member sender, the initiator can request 
the eviction of such a host. The initiator removes the capability of the suspicious 
host from the capability list and requests the center point to send out the packet 
requesting the eviction of that packet. The center point multicasts the packet 
containing the following content. 

(Evict Member Sender, IPm> MA, CP-CAP) 

This packet is specially marked so that it should be processed by the core routers 
only. Upon receiving this packet, a core router checks its storage to find an entry 
(MA, IPm, SEQ#m, IPe) with the matching multicast address and member 
address. The core that finds such an entry removes the table entry and destroys 
the packet sending path from this corrupt member. The core also tells the edge 
router of the corrupt member to delete the similar table entry and destroy the 
packet receiving path to this member. Then the core changes the domain control 
key and requests the center point to distribute new group data key and sender 
specific keys. If a non-member sender is to be evicted, a similar procedure is 
executed. But there is no packet receiving path to be destroyed and no new keys 
need to be distributed. Instead, all the members are told to discard the sender 
specific key of the evicted non-member sender. If a member which does not send 
a packet is to be evicted, the core should remember its identity when it joins 
the group and use this information to delete the packet receiving path to this 
member. Therefore, the joining protocol in the section 4.1 should be slightly 
modified. 



5 Conclusion 

In this paper an approach for providing security services for multicasting has 
been presented. We assume the use of PIM-SM and BGMP for routing algo- 
rithms. The approach provides authentication, authorization, confidentiality, and 
integrity services for a multicast routing algorithm. Only member hosts which 
are authenticated and have a member capability can join the multicast group 
to receive and send packets while non-member senders with a sender capability 
can send packets. But as soon as they are found to be ill-behaving, their capa- 
bilities are invalidated and they are evicted from the multicast group. Multicast 
packets are encrypted with either a group data key or sender specific key so that 
only legitimate group members can decipher the packets. Multicast packets are 
signed properly and attached with a sequence number and they are checked at 
both the edge router and core routers and, therefore, the authenticity and fresh- 
ness of packets can be verified. Our approach can guard against the four types 
of attacks on multicasting explained in the introduction. An illegal host cannot 
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send a multicast packet because it cannot build a sending path without a proper 
capability and its attempt to replay is blocked by the edge router which checks 
the authenticity and sequence number of the packets. An illegal host cannot re- 
ceive and decipher a multicast packet because it cannot join the multicast tree 
without a member capability and it cannot decipher the multicast packets that 
it overhear without a proper key. A corrupt router’s attempt to inject a replayed 
or compromised packet into the multicast group is thwarted or at least its effect 
will be contained in one domain by the core router which checks the authenticity 
and freshness of the packets. A corrupt router cannot expand the multicast tree 
because it does not have the proper capability. Our approach changes the group 
data key and sender specific keys whenever a membership change occurs and is 
suitable for the dynamic environments where members can join and leave the 
group and only the legitimate hosts can receive and/or send multicast packets. 
We support the member and sender semantics of IETF documents by providing 
the member and sender capabilities and the protocols for members and senders 
to join, leave, and be evicted from the multicast group. Through the use of 
the domain control keys, we can efficiently distribute new keys to the changed 
group. The compromised or replayed packets from illegal hosts are blocked at 
edge routers while corrupt packets from malicious routers are handled by the 
core routers. These two features make the proposed scheme scalable in the large 
Internet. 
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Abstract. We propose a transaction length-sensitive protocol based on altruistic 
locking to satisfy the security requirements and improve the degree of 
concurrency for multilevel secure database. This protocol expended the two- 
way donation locking protocol in multilevel secure database, and eliminated 
unauthorized information flows. Altruistic locking has attempted to reduce 
delay effect associated with lock release moment by use of the idea of donation. 
An improved form of altruism has also been deployed for extended altruistic 
locking. We adapted XAL to multilevel secure database and we investigated 
limitations inherent in both altruistic schemes from the perspective of 
alleviating starvation occasions for transactions in particular of short-lived 
nature for multilevel secure database. Our protocol ensures serializability, 
eliminates covert channels to have preference to a lower level transaction, and 
reduces the starvation of short-lived transaction. The efficiency of the proposed 
protocol was verified by experimental results. 



1 Introduction 

A Multilevel secure database is a secure system which is shared by users from more 
than one clearance levels and contains data of more than one sensitivity levels [2]. 
When the database scheduler use the scheduling protocol to multilevel secure 
database, it must satisfy both the concurrency and the security requirements at the 
same time. 

A data item’s correctness is guaranteed by standard transaction scheduling schemes 
like two-phase locking (2PL)[7] for the context of concurrent execution environments. 
Generally, when short-lived transactions are normally mixed with long-lived ones, 
degree of concurrency might be hampered by selfishness associated with lock 
retention. In 2PL, lazy release of lock could aggravate fate of misfortune for long- 
lived ones in that they are more vulnerable to get involved in deadlock situations. To 
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reduce the degree of livelock, the idea of altruism has been suggested in the literature. 
Altruistic locking [5], AL for short, is basically an extension to 2PL in the sense that 
several transactions may hold locks on an object simultaneously under certain 
conditions. Such conditions are signaled by an operation donate. Like another 
primitive unlock, donate is used to inform the scheduler that further access to a no 
longer required by a transaction certain data item of that donation. Extended altruistic 
locking [5], XAL for short, attempted to expand the scope of donation in a way that 
data to be early disengaged is augmented by extra data originally not conceived to be 
rendered. Our protocol is based on extended altruistic locking (XAL) but a new 
method, namely two-way donation locking for multilevel secure database 
(2DL/MLS), is additionally used in order to improve the concurrency and satisfy 
security requirements in multilevel secure database. 

2 Related Work 

2.1 Multilevel Secure Database 

Each data item in multilevel secure database is labeled with its security classification 
and each user is assigned a clearance level. In example, we will use the following 
hierarchical levels ordered as follows: 

Top Secret > Secret > Confidential > Unclassified 
We applied the security models using Bell and LaPadula model [2] to multilevel 
secure database. Information is allowed to flow from an object(subject) with security 
classification level li to a subject(object) with classification level level I 2 only if I 2 > 
Ij. The BLP model requires that the system satisfy the following properties. [3] 

Simple Security Condition 

A subject may have read access to an object only if the subject’s classification 
level dominates the object’s sensitivity level. 

*-Property (Star Property) 

A subject may have write access to an object only if the object’s sensitivity 
level dominates the subject’s classification level. 

We must also consider information flow through covert channels. A covert channels 
allows information to be transferred in violation of the security policy(i.e., either from 
a high-level subject to a low-level subject or between two subjects with incomparable 
security levels)[l]. We would like to prevent covert channels by ensuring that 
transactions at lower security levels are never delayed by the actions of a transaction 
at a higher security level. We used ts, s, c and u to denote the hierarchical level for 
subject(transaction) and object(data item) orderly. 

2.2 Altruistic Locking 

A transaction consists of database accesses and concurrency control operation, such as 
Lock and Unlock. It is well known that schedules of well-formed two-phase 
transactions that observe this rule is correct[4]. 2PL ensure that when conditions are 
met, they produce serializable schedules. AL is a modification to 2PL under certain 
conditions. AL provides a third concurrency control operation, called Donate, along 
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with Lock and Unlock. Donate operation is used to inform the scheduler that access to 
an object is no longer required by the locking transaction. When Donate is used, the 
donating transaction is free to continue to acquire new locks. Several rules control the 
use of the Donate operation by well-formed transactions. Transactions can only 
donated objects which currently have locked. However, they may not access any 
object that they have donated. A well-organized transactions must unlock every object 
that it locks, regardless of whether it donated any of those objects. Transactions are 
never required to donate any objects. Donate operations are beneficial since they can 
permit other transactions to lock the donated object before it is unlocked. 

2.3 Operations of XAL/MLS 

While the donation of wake is rigid in AL in terms of fixedness of its size, a dynamic 
way of forming a wake could be devised given that serializability is never violated. 
This was realized in XAL by simply letting data originally not intended to bestow to 
be dynamically included in a wake predefined. The rule is that wake expansion comes 
true only after a short transaction has already accessed data in its predefined wake list. 
So, the presumption made for XAL is that a short transaction still restlessly wishes to 
access data of its wake-dependent long transaction even after it has done with data in 
its wake list. The assumption could be called wake-first/other-later access fashion. 
XAL therefore performs badly if others-first/wake-later access paradigm is in fact to 
be observed. Example 1 shows this. 

Example 1 (Delay Effect Caused by Donation Extension in Short-Lived 
Transactions ): Suppose that the long-lived transaction Tu{R, ts) attempts to access 
data items, A(ts), B(s), C(c) and D(u), orderly in multilevel secure database. Note that 
data items, E(ts), F(s), I(ts), and J(s) shall not be accessed by Tu{R, ts) at all. 
Presume that Tu{R, ts) has already locked and successfully donated A(ts), B(s) and 
C(c). Tu{R, ts) now is supposed in the stage of accessing D(u). Suppose also that 
there are three more short-lived transactions concurrently in execution along with 
Tu{R, ts) '■ Tsi(W, s) wishing for B(s) and E(ts), Ts 2 (R, s) wishing for E(ts) and F(s), 
and Tss{W, c) wishing for F(s) and i(s) (Fig.l). 




Fig. 1. Three Short-lived Transactions Competing for Same Data Donated 



In case XAL/MLS, If Tsi(W, s) initially requests E(ts) first rather than B(s), Tsi(W, 
s) can certainly acquire E(ts) but it fails for B(s) because wake relationship cannot 
honor Efts) as a member of the wake list. Once this sort of wake dependency is 
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detected, Tsi(W, s) can be allowed to access B(s) only after it is finally released by 
Tij(R, ts). Tsi( W, s) in this case is therefore blocked. Ts 2 (R, s) must then be blocked 
for Efts) to be released by Tsj(W, s). TssiW, c) as well must be blocked for F(s) to be 
released by Ts 2 (R, s), forging a chain of blockage. End of Example 1. 

To resolve this sort of chained delay, others-first/wake-later approach could be 
made viable in a way of including others, not honored before, to a wake list. This 
enhancement is one of substances, made in our proposed protocol, which could be 
considered as backward donation, compared to XAL’s forward donation. One other 
major substance of our proposed protocol is to let more than one long transaction 
donate while serializability is preserved in multilevel secure database. The notion of 
two-way donation locking with multilevel secure database is thus developed in our 
protocol. Our protocol allows more donation than one long transaction, but for the 
sake of presentation simplicity, degree of donation is limited to two in this paper. 

3 Proposed Protocol 

3.1 Assumptions 

To describe wake expansion rule in detail, simplifications were made mainly with 
regard to transaction management principle. 

© {Transaction Operation): All transactions have either read or write operation to 
their data items. 

@ (Security Policy): A transaction and its data items follow MAC policy by the Bell 
and LaPadula model. 

® (Lower Level Transaction First): A lower level transaction holds a privilege on 
data item rather than a higher-level ones. 

® (Donation Privilege): Only long-lived transactions are privileged to use donate 
operation. 

® (Commit Policy): A long-lived transaction eventually commits. 

® (Deadlock Handling): If a transaction happens to fall into deadlock situation, that 
transaction will be eliminated by using a certain deadlock timeout scheme. 

In this paper, the multiplicity is rendered to the case of two to measure the effect of 
donation variety. Two- way donation locking protocol with Multilevel Secure 
Database, 2DL/MLS for short, can be pseudo-coded as follows (Algorithm Wake 
Expansion). 

Algorithm (WaJce Expansion Rule of 2DL/MLS) 

Input :LT1; LT2 ; ST 

/* ST: short trans; LTl, LT2 : long trans */ 

BEGIN 

FOREACH LockRequest 

IF (LockRequest . ST . data = Lock) 

THEN 

/* Locks being requested by ST already granted to long 
trans other than LTl and LT2 */ 

Reply: =ScheduleWait (LockRequest) ; 

ELSE IF (LockRequest. ST. data = Donated) THEN 
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/* Locks being requested by ST donated by long trans other 
than LTl and LT2 */ 

FOREACH (ST. wake LTl OR LT2 ) 

IF (ST. wake = LTl) THEN 
/* Donation conducted by LTl? */ 

IF (ST. data LTl .marking- set) THEN 
/* Data requested by ST to be later accessed by LTl ? */ 
Reply: =ScheduleWait (LockRequest) 

ELSE 

Reply: =SecurityCheck (LockRequest) 

END IF 
ELSE 

IF (ST. data LT2 .marking- set) THEN 
/* Data requested by ST to be later accessed by LT2 ? */ 
Reply := ScheduleWait (LockRequest ) 

ELSE 

Reply := SecurityCheck (LockRequest) 

END IF 
END IF 
ENDFOR 
ELSE 

Reply := SecurityCheck (LockRequest) 

END IF 

IF (Reply = Abort) THEN 
/* Lock request of ST aborted */ 

Abort Transaction (Transactionid) ; 

Send (Abort) ; 

Return ( ) ; 

END IF 
ENDFOR 
END 

SecurityCheck (TRAN, DATA, GUBUN) 

/* TRAN : transaction : DATA: data item to be transferred */ 

BEGIN 

IF (TRAN. R = True) THEN /*Simple-property (Read Option) */ 
IF( TRAN. level Data. level ) THEN 

/* Transaction's level check */ 

IF ( GUBUN = Lock ) THEN 

Reply := ScheduleLock (LockRequest) 

ELSE 

Reply := ScheduleDonated (LockRequest ) 

END IF 

ELSE / * No read up */ 

Reply := DiscardData (LockRequest) 

ENDIF 

ELSE /* * -property (Write Option) */ 

IF( TRAN. level Data. level ) THEN 

/* transaction level check */ 

IF ( GUBUN = Lock ) THEN 

Reply := ScheduleLock (LockRequest) 

ELSE 

Reply := ScheduleDonated (LockRequest ) 

ENDIF 

ELSE /* No write down */ 

Reply := DiscardData (LockRequest) 

ENDIF 

ENDIF 

END 
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3.2 Operations of 2DL/MLS 

In case donated data items are used under XAL/MLS, it is allowed to request data 
items which are donated by only one transaction. Under 2DL/MLS, short-lived 
transactions treat to be given more freedom in accessing donated objects by 
eliminating the single-donation constraint. Short-lived transactions can access objects 
donated by two different long-lived transactions in multilevel secure database. 

2DL/MLS permits short-lived transactions requesting data items which donated by 
two different long-lived transactions. A way to conduct a two-way donation is shown, 
in Example 2, with two separate long transactions and a single short transaction. 

Example 2(Allowing Proceeding of Short-lived Transaction with Two Concurrent 
Long-lived Ones in Multilevel Secure Database): Suppose that Ti](R, ts), a long-lived 
transaction with Read/Top-secret secure level, attempts to access data items, A(ts), 
B(s), C(c), D(u) and E(ts), orderly in multilevel secure database. Presume that Tu{R, 
ts) has already locked and successfully donated A(ts) and B(s). Tu(R, ts) now is 
supposed in the stage of accessing C(c). Suppose also that there are two more 
concurrent transactions in execution along with Tu(R, ts): T^iW, s) , a long-lived 
transaction, wishing for data items, F(s), G(c), H(u), I(ts) and J(s), in an orderly 
manner and Tsi{R, c), a short-lived transaction with low level, wishing for B(s), G(c) 
and K(u) similarly. 

Presume that Ti 2 {W, s) has already locked and successfully donated F(s) and skipped 
G(c) due to *-property in BLP model. Tu(W, s) now is supposed in the stage of 
accessing H(u) (Fig. 2). 




Fig. 2. Execution of Tsi(R, c) with Two Concurrent Long-Lived Transactions 

If we apply XAL/MLS for these transactions, a lock request for B(s) by Tsi{R, c) 
would be allowed to be granted but a lock request GfcJ would not because G(cJ has 
already been donated by another long-lived transaction. Only after TuiW, s) commits, 
G(c) can be tossed to Tsi{R, c). 

In case 2DL/MLS, Tsi(R, c) could fortunately be allowed to access without any 
delay. This is made possible by simply including the wake of Tu{W, s) into the wake 
of Tu{R, ts). At the same time, Tsi{R, c) is not delayed by neither Tu{R, ts) or Tu(W, 
s) with higher security level transaction. So 2DL/MLS prevents covert channels by 
ensuring that transactions at lower level transactions are never delayed by the actions 
of a transaction at a higher level ones. End of Example 2. 
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3.3 Correctness of 2DL/MLS 

In this section, we will show that 2DL/MLS satisfy both serialization and security 
requirement. To do so, we will make use of the serializability theorem [4], the 
definition of Crest Before [5] and a lemma used in proving the correctness of AL [5]. 
The serializability theorem states that a history H is serializable iff its serialization 
graph is acyclic, and the definition of Crest Before state that for two transactions, say 
Ti uTj if Ti unloaks some data items before Tj locks some data items. 

We use oi[x], pi[x] or qi[x] to denote the execution of either read or write operation 
issued by a transaction Ti, on a data item x. Reads and writes of data items are 
denoted by ri[x] and wi[x], respectively. Locking operation is also represented by 
oli[x], pli[x], qli[x], rli[x] or wli[x]. Unlock and donate operations are denoted by 
ui[x] and di[x], respectively. H represents a history which may be produced by 
2DL/MLS and 0(H) is a history obtained by deleting all operations of aborted 
transactions from H. The characteristics of histories which may be produced by 
2DL/MLS are as follows. 

Property l(Two-Phase Property): If oli[x] and ui[y] are in 0(H), oli[x] < ui[y]. 
Property 2(Lock Property): If oi[x] is in 0(H), oli[x] < oi[x] < ui[x]. 

Property 3(Donate Property): If oli[x] and di[x] is in 0(H), oi[x] < di[x]. 

Property 4(Unlock Property): If di[x] and ui[x] is in 0(H), di[x] < ui[x]. 

Property 5(Security Property): If level(Ti)^level(ri[x]) in 0(H), rli[x] < ui[x]. If 
level(Ti)^level(wi[x]) in 0(H), wli[x] < ui[x]. 

Property 6(Lower Level Transaction First Property): If level(Ti) < level(Tj) in 
0(H), dj[x] < oli[x]. 

Transactions cannot simultaneously hold conflicting locks unless one has been 
altruistically donated. Next, we can formalize our notion of wakes. 

Definition 1 (Indebtedness): A transaction Tj is said to be indebted to Ti in H if oi[x], 
di[x], and oJ[x] exist in H and di[x] < oj[x] < uj[x] and either 

- oi[x] and oj[x] conflict, or 

- some intervening operation ok[x] conflicts with both oi[x] and oj[x]. 

(Operation ok[x] is intervening if di[x] < ok[x] < oj[x].) 

Definition 2(In The Wake): An operation oj[x] is in the wake of transaction Tj if 
di[x] exists in H and di[x] < oj[x] < uj[x]. 

Definition 3(Completely In The Wake): A transaction Tj is in the wake of Ti if any 
of Tj ’s operations are in the wake of Ti. Tj is completely in the wake of Ti if all of its 
operations are in Ti’s wake. 

With these definitions out of the way, we can express the second altruistic locking 
rule. 

Property 7(Indebtedness Property): If Tj is indebted to Ti for every oj[x] in 0(H), 
either oj[x] is in the wake of Ti or there exists ui[y] in 0(H) such that ui[y] < oj[x]. 

If a transaction is indebted to another, it must remain completely in the other’s wake 
until it begins to unlock objects. 

Lemma I(Altruism): If pi[x] and qj[x] (i+j) are conflicting operations in 0(H) and 
qi[x] < qj[x], then ui[x] < qlj[x] or di[x] < qlj[x]. 

Proof: A data item must be locked before and unlocked after it is accessed by Property 
1. In Wake Expansion Rule of 2DL/MLS, a conflict lock on the data item, say a, is 
allowed only when no transaction locks a or the transactions which hold locks on a 
has donated it. Thus, the history, 0(H), satisfies Lemma 1. End of Lemma 1. 




114 



H.-W. Kim et al. 



Lemma 2(Complexity-In-Wake): If Tl^ T2 is in serialization graph, then either 
Tl^uT2 orTl^dT2. 

Proof: T1^T2 in serialization graph means that there exist conflicting operations, say 
pl[x] and q2[x], in H such that pl[x] < q2[x]. There are only two cases that may 
occur for this by Lemma 1. One is that there is pl[x] < dl[x] < ql2[x] < q2[x] in 
0(H), i.e., T2 accesses the data items donated by T1 . 

A transaction T2 has to access only wake of another transaction T1 , once T2 makes 
conflict locks on the data items donated by Tl. T2 must be completely in the wake of 
T1 if T2 has accessed any of the wake of Tl. This is ensured by the first else if 
condition in algorithm. Even if T2 has already accessed any data items which do not 
belong to the wake of Tl , such data items would be included into the wake of Tl as 
long as Tl does not access any of such data items at all for its execution. If the data 
items locked by T2 will be accessed by Tl, the access of T2 to the data items donated 
by Tl is not allowed by the second foreach condition. Thus, T1^T2 corresponds to 
Tl^dT2 in the case that pl[x] < dl[x] < ql2[x] < q2[x] in H, or in the case that pl[x] 
< ul[x] < ql2[x] < q2[x] in 0(H) by Lemma 1. Thus, T1^T2 corresponds to 
Tl^uT2 in the case. End of Lemma 2. 

Lemma 3(Correctness ot AL): Consider a path Tl^-'Tn-l^Tn in 0(H). Either 
Tl^uT2, or there exists some Ti on the path such that Tl^uTi. 

Proof: We will use induction on the path length n. By Lemma 2, the lemma is true for 
n=2. Assume the lemma is true for paths of length n-1, and consider a path of length 
n. By the inductive hypothesis, there are two cases: 

© There is a TI between Tl and Tn-1 such that Tl^uTk. The lemma is also true 
for paths of length n. 

© Tl^dTn-l^Tn and Tn-1 conflicts on at least one object, x. Since Tn-1 is 
completely in the wake of Tl, we must have dl[x] < qln-l[x] in 0(H). By 
Property 1, Tn must lock x. By Property 4, Tl must unlock x. Either ul[x] < 
oln[x] or oln[x] < ul[x]. In the first case, we have that Tl^uTn, i.e., Tn is the Tk 
of the lemma. In the second case, Tn is indebted to Tl. By Property 6, Tn is 
completely in the wake of Tl(Tl^dTn) or Tl^uTn. 

Theorem l(Serializability of 2DL/MLS): If 0(H) is acyclic, 0(H) is serializable. 
Proof: Assume that there exists a cyclic Tl^-'Tn-l^Tn in serialization graph. By 
Lemma 3, Tl^dTl, or Tl^uTi. By Property 3, only Tl^uTi is possible. Since Ti is 
prohibited to lock any more data items once Tl unlocks any one, Ti cannot be Tl. 
Again, by applying Lemma 3 to the same cycle Tl^TH-l^-'Ti , we get Ti^uTk.for 
the same reason and thus we get Tl^uTi uTk in all. Since the relation u is transitive, 
Tl^uTk is satisfied. Thus, Tk cannot be any of Tl and Ti. If we are allowed to 
continue to apply Lemma 3 to the given cycle n-3 times more in this manner, we will 

get a path Tl^uTiu^Tk^u >uTm containing all transactions, i.e., Tl through 

Tn. If we apply Lemma 3 to the given cycle starting from Tm one more time, we are 

enforced to get a cycle Tl^uTi^uTk^u ^uTm^uTl and we get a contradiction 

of violating Property 1 or Lemma 3. Thus serialization graph is acyclic and by the 
serializability theorem 0(H) is serializable. End of Theorem 1. 

Theorem 2(Security Satisfaction of 2DL/MLS): If H is a history with Property 5 
and 6, then H satisfies security requirements. 
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Proof : By Property 5, a transaction can read data items at its own or lower level, and 
write data items at its own or higher level. Let Ti and Tj be two transactions such that 
L(Ti) > L(Tj). If Ti and Tj are conflicting with each other, then we can see that Ti read 
down the data item x while Tj writes into x. Then, there are two possible cases: (i) Tj 
holds a lock on x before Ti requests a read lock on x, and (ii) Ti holds a read lock on x 
before Tj requests a lock. In the first case, Ti must wait for the data item x until Tj’s 
donation of data x by Property 6. Therefore, the lower level transaction Tj is not 
delayed by the higher level one Ti. In the second case, in order to prevent covert 
channels, Tj can lock x without delaying by Property 6. Thus, Tj is neither delayed 
nor aborted by Ti. According to the above cases, the proposed protocol satisfies 
security requirements. End of Theorem 2. 



4 Performance Evaluation 

4.1 Simulation Model 

4.1.1 Queuing System Model 

The simulation model, in (Fig.3), consists of subcomponents in charge of fate of a 
transaction from time of inception to time of retreat: transaction generator (TG), 
transaction manager(TM), scheduler (SCH), data manager{DMi), database(DJi). 

TG generates user transactions one after another and sends their operations to TM 
one at a time in a way of interleaving. TM receives transactions from terminals and 
passes them SCH queue. 



ODsrgilon 





Fig. 3. Simulation Model 

DM analyzes an operation from SCH to determine which data item the operation is 
intended to access, and then sends the operation to the disk where the requested data 
item is stored. Whenever an operation is completed at the server, it sends to TM the 
message informing that the requested operation has been completed successfully. 

This simulation model has been implemented using Scheme [6] discrete-event 
simulation(DEVS) language. In DEVS formalism one must specify basic models from 
which larger ones are built, and describe how these models are connected together in 
hierarchical fashion [8]. 
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4.1.2 Experimental Metodology 

<Table 1> summarizes the model parameters and shows the range of parameter values 
used in our experiments. 



Table 1. Simulation Parameters 



Parameters 


Values 


db_size 


100 


num_cpus 


2 


num_disks 


4 


num_of_level 


4 


sh ort_tran_size 


2,3,4 


long_tran_size 


5,7,9, 11, 13, 15 


tran_creation_time 


2 units 


sim_leng 


100, 300, 500, 700, 900, 1100, 1300, 1500 



To see performance tradeoff between 2PL/MLS and 2DL/MLS, average transaction 
length represented by number of operation in transaction were treated to vary. The 
shortest one is assumed to access 20 percent of the entire database, while it is 80 
percent for the longest one. The number of CPUs and disks, num_cpus and 
num_disks, are set to 2 and 4, respectively. The idea behind this status of balance by 
l-to-2 ratio has been consulted from[7]. 

4.2 Simulation Result and Interpretations 

4.2.1 Effect of Security Requirement Level 

This experiment has been revealed that 2DL/MLS satisfied the security requirement 
by Bell and LaPadula model. We have counted the processing ratio data item which 
satisfy the security requirement against total ones. Each transaction has Read/Write 
option, four clearance level and data items which they process. Each data items have 
four sensitivity levels. If the transaction satisfies the security requirements which it 
wish to process the data item, it processes the data item the next time slice. Otherwise, 
the transaction discards the data item, and it remains the current time slice of 
operating system. In this experimental, the entire processing ratio was 61.4 percent. 
So this model satisfies the security requirement by BLP model. 

4.2.2 Effect of Long-Lived Transaction Size 

This experiment shows that 2DL/MLS generally appears to outperform 2PL/MLS in 
terms of throughput. The best throughput performance is also exhibited by 2DL/MLS 
and the worst average waiting time is portrayed by 2PL/MLS. 

Performance gain of 2DL/MLS against 2PL/MLS is from 112 to 125 percent 
increment in terms of throughput except long transaction size is 11. And 2DL/MLS 
outperforms 2PL/MLS from 94 to 72 percent decrease of performance at transaction 
waiting time at every case. This is because 2DL/MLS has the 2PL/MLS plus the 
donation of data items of long transaction. 
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Fig. 4. Throughputs 

4.2.3 Effect of Timeout 



Fig. 5. Average Waiting Time 



At a higher range of timeout, 2DL/MLS show a higher medium throughput and a 
lower transaction waiting time for three schemes. Throughputs of the three schemes 
show the same value at timeout size 35. 



A/erage length of tr^saction:8, average length of long 
Iransactionsil 3, int.an.time:5, sirrrtimeiSOO 



/Verage length of transacliomS, average length of long 
fransactions:l3, inl.arr.timeiS, sirrrtimeiSOO 




Fig. 6. Throughputs 



Fig. 7. Average Waiting Time 



Throughput of 2DL/MLS outperforms XAL/MLS and 2PL/MLS when timeout size is 
30. We can observe that average waiting time curve of 2PL/MLS rapidly increase 
from 30 to 35 in Fig. 7. 2DL/MLS performs better than 2 PL/MLS between 100 percent 
and 123 percent of performance at transaction throughput. If the timeout size is far 
extended beyond a certain point, say 30, the average waiting time curve of 2PL/MLS 
increase than other two schemes. 2DL/MLS outperforms 2PL/MLS with 87.9 percent 
of performance at transaction waiting time when the timeout size is 35. 



4.2.4 Effect of Simulation Time with Long-Lived Transaction 

As the simulation time is getting longer, short-lived transactions can get more chance 
to use donated objects. This experiment is used to investigate the effect of the 
simulation time on the performance of concurrency control schemes, as the degree of 
donations varies. 2DL/MLS shows a higher throughput and a lower transaction 
waiting time for three schemes. Throughputs of the three schemes show the same 
value at simulation time 100. But as the simulation time is getting longer, throughput 
of 2DL/MLS outperforms XAL/MLS and 2PL/MLS when simulation time is greater 
than 500. We can observe that the throughput curves of XAL/MLS and 2DL/MLS 
schemes tend to be flat as the simulation time is greater than 900. It has been observed 
that the throughput of 2DL/MLS continually increased from beginning of simulation. 
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Fig. 8. Throughputs Fig. 9. Average Waiting Time 



2DL/MLS eventually performs best in terms of average waiting time at all 
simulation time. If the simulation time is far extended beyond 500, the average 
waiting time curve of 2DL/MLS decrease than other two schemes. 2DL/MLS 
outperforms 2PL/MLS with 69 percent of performance at transaction waiting time 
when the simulation time is 900. 

Overall behaviors have been revealed that as the simulation time increases, 
2DL/MLS generally outperforms in terms of throughput and waiting time. 

5 Conclusions 

In this paper we proposed that the two-way donation locking for multilevel secure 
database (2DL/MLS) is a protocol improving concurrency control and satisfying the 
security requirements. 2DL/MLS showed a more satisfying performance compared to 
any other scheme methods, and in multilevel secure database when long-lived 
transactions lead to abort overhead, 2DL/MLS is recommended to improve the 
concurrency degree for multilevel secure database systems. 2DL/MLS is considered to 
be a practical solution to take where short-lived or lower level transactions quickly 
access database without any delay by long-lived or higher level ones for multilevel 
secure database. 
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Abstract. The purpose of this paper is to introduce a way to deal with 
uncertainties in risk analysis. Risk analysis is a key process in security 
management in that its result provides a decision-basis for safeguard 
implementation. However, it must often rely on speculation, educated 
guesses, incomplete data, and many unproven assumptions. Users of risk 
analysis often provide their uncertain subjective opinions as input values 
to risk analysis. Therefore, the consideration of uncertainties in input 
data should be made when performing a risk analysis. As a tool for 
expressing and dealing with uncertainties in input data, we suggest the 
use of belief functions. We provide examples of how to use belief functions 
in qualitative risk analysis methods. 



1 Introduction 

Risk analysis is the process of identifying security risks, determining their mag- 
nitude and identifying areas that need safeguards [5]. Risk analysis is a key 
process in risk management as it identifies potential risks and provides a basis 
for investing in safeguards. Owing to the critical role of risk analysis in security 
management, a number of risk analysis methods have been developed since the 
early 1980s. Examples include annualized loss expectancy (ALE), Courtney, the 
Livermore risk analysis method (LRAM) and CRAMM [2]. Risk analysis meth- 
ods are mainly classified into either a quantitative or qualitative methodology. 

In quantitative risk analysis approaches such as ALE, risks are represented 
as a function of probabilistic variables. On the other hand, qualitative risk anal- 
ysis approaches such as CRAMM attempt to express risk in terms of descrip- 
tive variables (e.g., high, medium and low). Although the quantitative approach 
provides sound logical justification for the analysis results, it relies heavily on 
the accuracy of parameter estimation. In addition, organizations may encounter 
a situation where they cannot provide any estimates. On the other hand, the 
qualitative methodology maintains a view that risk analysis variables cannot be 
expressed in exact probabilistic measures. Qualitative approaches are relatively 
easier than quantitative ones since they do not require probabilistic estimates. 
However, qualitative analysis lacks mathematical justification when compared 
with quantitative approaches and therefore the evaluation is likely to be more 
subjective than the quantitative approach. 
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Regardless of the methodology, the result of any risk analysis includes uncer- 
tainties. Uncertainties in risk analysis imply potential differences between risk 
analysis outcomes and the realities. Uncertainties are important issues in risk 
analysis since we may trust the result of an assessment even though the result 
is based on uncertain evaluations. This situation leads us to the implementation 
of inappropriate safeguards and a false sense of security. Although this problem 
should be properly addressed in risk analysis, little attention has been paid to 
uncertainties. Our approach to this problem is based on the theory of belief func- 
tions, which is a general tool for representing someone’s degree of belief in an 
uncertain situation, where a degree of belief is understood as strength of opinion. 



2 Uncertainties in Risk Analysis 

Risk analysis must often rely on speculation, best guesses, incomplete data, and 
many unproven assumptions [7]. According to [7], there are two primary sources 
of uncertainty: (1) a lack of confidence or precision in the risk analysis model 
or methodology, and (2) a lack of sufficient information to determine the ex- 
act value of the elements of the risk model such as threat frequency, safeguard 
effectiveness and consequences. The first type of uncertainty comes from the 
assumptions and omissions imposed within the risk analysis model due to the 
inability of precise modelling of the real world. The second type of uncertainty 
usually resides in risk analysis input values. Risk analysis data normally come 
from two sources: statistical data and expert analysis. Although statistical data 
sounds authoritative, there are many potential problems with statistics such as 
invalid sampling and sample size. Expert analysis is usually based on subjec- 
tive opinion, which also includes assumptions made (but not always explicitly 
articulated) by the expert. 

Uncertainty is different from ambiguity; ambiguity is generally handled by 
fuzzy set theory in risk analysis (for example, fuzzy metrics). According to [11], 
imprecision (ambiguity) covers cases where the value of a variable is given but 
not with the required precision, whereas uncertainty covers cases where an agent 
can construct a personal subjective opinion (belief) in a proposition that is not 
definitively established. Consider the following example: ‘how much financial loss 
is incurred from the disclosure of specific data?’ Assume that the analyst is sure 
that it would be a medium loss (say, >$1000 and <$5000) although he cannot 
express the exact figure. In this case, fuzzy theory can be applied. On the other 
hand, assume that he thinks that it could be a medium loss but is not sure about 
this because the actual loss might be smaller or bigger than he expects. This 
situation represents the uncertainty in the analyst’s opinion. 

In this paper, our interest is limited to the second type of uncertainty, i.e. 
the uncertainty in input data. The first type of uncertainty is related to the 
validity of the risk analysis model itself. There is no definitive way of building a 
risk analysis model. The reason for this is that there are inevitable assumptions 
and omissions in any risk analysis due to impossibility of constructing a model 
that exactly reflects the real world. In addition, we consider only the qualitative 
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approach, especially the scoring method, in this paper. The belief function ap- 
proach is normally defined on finite and discrete variables and therefore it fits 
the qualitative approach. If we use an interval scale to estimate the probabilistic 
variables and assign the degree of our belief to each interval, the belief function 
approach could, to some extent, be applied to the quantitative approach. How- 
ever, we do not consider quantitative approaches in this paper since in this case 
the belief function approach requires a meta-probability (the probability over 
the value of an unknown probability). In most quantitative approaches, point 
estimates are usually used to represent the amount of loss and/or probability of 
threat occurrence. The PERT (Project Evaluation Review Technique) approach 
could be used for a simple way of dealing with uncertainties in point estimates. 
For the estimation of the expected loss, [3] suggests the use of the PERT tech- 
nique. In the PERT approach, there are three point estimates for each variable: 
pessimistic, most likely and optimistic cases. For example, assume that the ex- 
pected loss may vary from a to c and is b in the most likely case. The expected 
loss in the PERT approach is then expressed as (a-|-46-|-c)/6. Although there is 
still a possibility that the actual value does not lie in this range, it provides a 
cost-efficient way of dealing with uncertainties. 



3 Basics of Belief Functions 

The theory of belief functions (also called Dempster-Shafer theory of evidence) 
has been introduced by Shafer [9] as a new approach for representing uncertain- 
ties. The belief function approach is used in this paper to represent and deal 
with uncertainties in scoring method based risk analysis. There are a number of 
variations in the scoring method. However, the common feature of the scoring 
method is that scores are assigned to each possible answer to a question, ac- 
cording to an analyst’s opinion. Examples of the scoring method and the belief 
function approaches will appear in the next section. 

Belief functions start from constructing a finite set of worlds, denoted by 0, 
called the frame of discernment. In the scoring method, it will represent the set 
of possible answers to a question. One of its elements, denoted by 6 *o, corresponds 
the real world (i.e., the totally correct answer to the question). An analyst does 
not know which answer in 0 is 9q. However, he has some opinion about which 
world might be Oq. For every AC0, he can express the strength of his opinion 
that the actual answer Oq belongs to A. This is done using basic probability 
assignment, which is a function m: 2®— >-[0,1] that satisfies AC0}=1 

and m(0)=O. 

The quantity m(A) is understood to be the measure of belief that is commit- 
ted exactly to A. Suppose that the frame of discernment on variable X (Qx) is 
{a;i, X 2 , X 3 }. Therefore, there exist seven m-values such as mx{{x\\), mx{{x 2 }), 
mxiixs}), mx{{xi,X 2 }), mx{{xi,X 3 }), mx{{x2,X3}) and mx{{xi,X 2 ,X 3 }). The 
m-value of any subset represents the partial belief that the actual answer be- 
longs to it. The subscript represents the name of the variable to which evidence 
is applied. Each element of the frame (xi) represents each possible answer to the 
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question. For example, suppose that the question is ‘how many security incidents 
have occurred last year?’ and the possible answers are (1) x\'. equal to or less 
than twice, (2) X 2 '- more than twice, but less than five times, and (3) x^: equal to 
or more than five times. Suppose that an analyst has identified that X 2 is likely 
to be the right answer based on an interview with appropriate staff. However, he 
is not totally sure since it is based on their memory and a written incident record 
is not available. He feels that this interview supports X 2 with a medium level of 
support (say 0.6). Therefore, he has assigned 0.6 to mx{{x 2 })- The remaining 
uncommitted amount {l—mx{{x 2 })= 0 A), which represents ignorance, is then 
committed to 0x (therefore, mx({a;i,a:2,a^3})=0.4). 

As this example indicates, the way of assigning m-values is by using an ana- 
lyst’s subjective judgment. However, the uncertainty in the subjective judgement 
is considered by the concept of ignorance. The basic difference, when compared 
to probability theory, is that m-values are assigned to a subset of elements of 
a frame whereas probabilities are assigned to individual elements of the frame. 
Therefore, the situation where m{B)>0 and m{A)=0 for all AcB can happen, 
which cannot be satisfied by probability theory. 

The total belief in a subset H of a frame 0 is defined as Bel{B)=^{m{A)\ 
ACB} for all HC0, and the plausibility of B is defined as PllB)=J2{'m-lA)\ 
BCAy^(l)}=l — Bel{B'^). The value Bel{B) summarizes all our reasons for believ- 
ing B based on the given evidence, and the value Pl{B) represents how much 
we should believe B if all currently unknown facts (i.e. underlying ignorance) 
were to support B. The difference is that Bel{B) quantifies the total amount of 
justified supports given to B, while Pl{B) quantifies the maximum amount of 
potential supports that could be given to B. 

If mi(C') and m 2 {C) are two m-values for the same variable induced by two 
independent evidential sources, then the combined m-value is calculated accord- 
ing to Dempster’s rule, which is mi © m 2 {C)=k~^^{mi{A)m 2 {B)\ AC\B=C}, 
where k=l—^{mi{A)m 2 {B)\ AC\B=%} is a normalization constant. Normaliza- 
tion is required to satisfy the axiom that the sum of m-values on a frame equals 1 
where a conflict exists. A conflict exists whenever ^{mi(A)m 2 (i?)| AnH=0}>O. 
Dempster’s rule cannot be used when k=Q, in which case the two items are not 
combinable. 



4 Scoring Method with Belief Functions 

The scoring method manipulates scores gathered from a set of questions that 
have a predefined set of scores for each possible answer; the purpose of the 
question is to analyze the value of asset, severity of threat and/or magnitude of 
vulnerability. A typical example of the scoring method can be found in GRAMM 
[2] . In GRAMM, multiple-choice questions are used to gather information about 
threats and vulnerabilities. A major drawback of the scoring method is that full 
justification on the scoring system is not always possible. However, the scoring 
method provides an efficient form of analysis and may be the only available ap- 
proach in many situations. For example, the quantitative approaches, which are 
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based on probability measures, may not be applicable due to unavailability of 
these measures and production rule (IF-THEN rule) based systems may not per- 
mit detailed assessment as the number of rules increases dramatically when the 
granularity of analysis increases. Although the determination of the importance 
of each question is critical, we do not consider this here since there is no absolute 
answer to this problem, as mentioned earlier. Our concern is how to deal with 
an analyst’s uncertain answers to questions. An analyst may often encounter the 
situation where he cannot provide the right answer due to lack of knowledge or 
information; irrespective of this, the scoring method still forces him to choose 
one answer. 

4.1 Multiple-Choice Question 

Figure 1 illustrates an example scoring system used in CRAMM. As shown in 
figure 1, each multiple-choice question may have a different number of possible 
answers and the score for each possible answer ranges according to the impor- 
tance of the question (e.g. question 6 is much more important than question 1). 
Total score for a specific set of questions is used to determine the severity of 
threat or magnitude of vulnerability. Although several variations may be pos- 
sible to deal with uncertainties in such questions, let us consider the following 
simple strategy. For illustration purposes, we use question 6 in figure 1. 



Example Questionnaire: 

1 . Is the network gateway between 1 and 6 years old? 
a. Yes 0 b. No 10 



6. How many incidents of technical failure of a network gateway 
have occurrede in the last 3 years? 
a. Never 0 b. Once or twice 15 

c. Three times 25 d. More than three times 35 

Ratings: 

Low: Score under 33, Hi: Score over 68 
Medium: Score between 34 and 67 

f 



Fig. 1. Example Multiple-Choice Questionnaire 



Suppose that the analyst feels that the currently available evidence provides 
a high degree of support (say 0.8) that the actual answer is ‘b’. At the same time, 
he is certain that an incident has occurred and therefore ‘a’ cannot be the right 
answer. Therefore, m({6})=0.8 and m({6, c, d})=0.2. Since we are familiar with 
probabilities rather than the m-values, we shall transform these m-values to the 
corresponding probabilities (denoted by BetP). This transformation is defined 
by Smets [10] and is called the pignistic transformation. 



BetP(a;)=^{m(A)/ |A| | A C 0 such that xGA} for all a; in 0 
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where |A| represents the number of elements in A. With the above exam- 
ple, BetP(a)=0, BetP(b)=m({b})-|-m({b,c,d})/3«0.87, and BetP(c)=BetP(d) 
=m({b,c,d})/3«0.07. Once we have such pignistic probabilities, we can use them 
in various decision-making frameworks. The expected value of the score in this 
example is 15.25 (=0-0-|-15-0.87-|-25-0.07-|-35-0.07). The consideration of uncer- 
tainties has been reflected in this value since it is based on the pignistic proba- 
bilities, which have been induced by the analyst’s beliefs. 

If there are several analysts performing the same evaluation (i.e., same ques- 
tion) or there are several pieces of information regarding the same question, 
Dempster’s rule can be used to combine m-values from different sources. In ad- 
dition, we can assign a weight factor to each source (i.e., discounting m-values) if 
required. Suppose that there are n evidential sources and rrii represents m-values 
from the evidential source i. Discounting m-values by some weight Wi (0<Wi<l 
and ^Wj=l) is as follows. The discounted m-value is (l-Wi)mi(A) for all Ac0 
and (l-Wi)mi(0)+iVi if A=0. 



4.2 Direct Score Assignment 

Assume that a questionnaire for threat valuation has n questions and the score to 
be assigned to each question ranges from 1 to 5 (integer) . An analyst then assigns 
a score ranging from 1 to 5 as an answer to each question according to the result 
of his analysis. An example question is ‘assess the appropriateness of the access 
privilege guidelines’. Depending on the result of evaluation of an organization’s 
manuals regarding the granting of access privileges, an analyst will assign a 
score ranging 1 to 5 (1 for ‘very inappropriate’ and 5 for ‘very appropriate’). 
Multiple-choice questions could also fit this type of scoring system. For example, 
if there are five possible answers in each question (say, a, b, c, d and e), each 
answer, a, b, c, d and e will stand for the score 1, 2, 3, 4 and 5, respectively. 
The pignistic transformation could be used to obtain an expected score value 
for each question, as illustrated in 4.1. 

However, we will use a different approach that is based on [4], which assesses 
the value of a candidate under multiple criteria. The approach in [4] transfers 
the m-values for the score with respect to each criterion i (denoted by mci), to 
the m-values for the overall ‘goodness’ score. The transformation is defined as 
follows. Let fi{x) be the value of the goodness score when the value of the score 
for criterion i is x and let fi{A)={fi{x)\ xGA}. A represents a subset of the 
set of values of the score for the criterion i, ranging from 1 to 5 and therefore 
Ac {1,2, 3,4, 5}. The m-values for the overall goodness score derived from the 
m-values for the score of criterion i, denoted by m*, are mi{B)=^{mci{A)\ 
fi{A)=B}. B is a, subset of the set of possible values for the goodness score, 
ranging from 1 to 5 (i?C{l,2,3,4,5}). The values of fi{x) are provided in table 
1. f3 represents the level of importance (weight factor) of criterion i. Combining 
the m-values derived from each criterion by Dempster’s rule yields the m-values 
for the overall goodness score, which are m(H)=(mi ©m 2 © . . .©m„)(i?), where 
n is the number of criteria. 
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Table 1. Example Table for Goodness Score (Source: [4]) 



p 


1 


2 


3 


4 


5 


e 


1 


3 


4 


5 


5 


f 


1 


2 


4 


5 


5 


9 


1 


2 


3 


4 


5 



Let us consider the following example. Suppose that one question (Qi) in the 
questionnaire that evaluates the threat of unauthorized access is ‘what is the 
trend in unauthorized access incident rate’. The score for this question varies 
from 1 to 5 (1 for ‘very low’ and 5 for ‘very high’) and the overall threat score 
also varies from 1 to 5 (1 for ‘very low’ and 5 for ‘very high’). An analyst 
feels that it is either medium or high with 0.7 degree of support and he has 
no opinions for other subsets of the score values. Therefore, mQ^ ({3, 4})=0. 7 
and rriQi ({1,2,3,4,5})=0.3. Assume that the level of importance of this ques- 
tion is g in table 1. Then, the m- values for overall threat valuation score, de- 
rived from the m-values for the score of this question, are mi({l})=mgj({l}), 
mi({l,2, 3,4, 5})=mg^({l,2,3,4, 5}), and m-value for any other subset is 0. 
These m-values are to be combined with the m-values derived from other ques- 
tions to obtain the m-values for the threat valuation score. 

4.3 Risk Matrix 

A risk matrix is a decision-basis for determining the level of risk based on the 
significance of an asset, the likelihood of a relevant threat’s occurrence and the 
magnitude of the vulnerability for this asset and threat pair. For example, the 
risk score in GRAMM is ‘7’ if the significance of the asset is ‘10’, the likelihood of 
the threat is ‘very high’ and the magnitude of vulnerability is ‘high’. A similar 
matrix approach (called threat evaluation) is used in RiskWatch [8] to evalu- 
ate the threat although the main approach within RiskWatch is quantitative. 
The threat rating in RiskWatch is ‘Al’ if the likelihood of threat occurrence is 
‘virtually certain’ and the impact of this threat occurrence is ‘fatal’. 

The risk matrix is used within the risk management process to assist the 
selection of cost-effective safeguards. It also can be used at a high-level to provide 
an overview of the areas at high risk. Uncertainty issues should be properly 
addressed in determining the level of risk from the sets of scores for assets, 
threats and vulnerabilities. For simplicity, our example considers only two levels 
(high (H) and low (L)) of asset, threat and vulnerability valuation and three 
levels (high (H), medium (M) and low (L)) of risk valuation. This example risk 
matrix is shown in table 2. Thus, for example, if threat is ‘high’, vulnerability is 
‘high’ and asset is ‘high’, then risk is ‘high’. 

Assume that we have m-values for asset (A), threat (T) and vulnerability 
(V) variables and, based on these m-values, we want to obtain m-values for 
risk variable (R). The frames for these variables are &A={lA,hA}, QT={lT,hr}, 
Qv={W,hv} and QR={lR,mR,hii} respectively. Unlike the example in 4.2, we 
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Table 2. Example Risk Matrix 



Threat 


L 


L 


H 


H 


Vulnerability 


L 


H 


L 


H 


Asset: L 


L 


L 


M 


M 


Asset: H 


M 


M 


H 


H 



cannot use the transformation of m-values. This is because, for example, a high 
asset value does not necessarily mean a high risk, as shown in table 2. Rather, the 
risk is determined by considering all the asset, threat and vulnerability values. 
The resulting m-values for the risk variable after considering the relationships 
in table2, denoted by are as follows (proof is provided in the appendix). 

Here, we will omit the set symbol ({}) for simplicity (e.g.. It instead of 



= mT{lT)mv{lv)mA{lA) + mT{lT)mv{hv)mA{lA) 

+mT{lT)mv{Qv)mA{lA) ■ (1) 

m^^{{mR}) = mT{lT)mv{lv)mA{hA) + mT{lT)mv{hv)mA{hA) 
+mT{hT)mv{W)tnA{lA) + mT{hT)mv{hv)mA{lA) 
+mT{lT)mv{Qv)mA{hA) + mTihT)mv{Qv)mA{lA) ■ ( 2 ) 

m^^{{hR}) = mT{hT)mv{lv)'niA{hA) -k mT(/iT)wy(/iy)mA(/iA) 

+mT{hT)mv{Qv)mA{hA) ■ (3) 

m^^{{lR, ruR}) = mT{lT)mv{lv)mA{QA) + mT(0T)wy(ly)mA(U) 
+mT{lT)mv{hv)mA{QA) + mT{QT)mv{hv)mA{lA) 
+mT{lT)mv{Qv)mA{QA) +mT{QT)mv{Qv)mA{lA) ■ (4) 



m^^{{mR, Hr}) = mT{QT)mv{lv)mA{hA) + mT{QT)mv{hv)mA{hA) 
+mT{hT)mv{lv)'mA{QA) + rnT{hT)mv{hv)mA{QA) 
+mT{QT)mv{Qv)mA{hA) + mT{hT)mv{Qv)mA{QA) ■ (5) 
= mT{&T)mv{lv)mA{OA) + TOT(©T)wy(/ly)mA(0A) 

+mT{QT)mv{Qv)mA{QA) ■ (6) 

Suppose that we feel that the likelihood of threat occurrence is ‘low’ with 0.8 
degree of support (mT(^T)=0.8), the magnitude of vulnerability is ‘high’ with 0.6 
degree of support (my(/iy)=0.6), and the value of asset is ‘high’ with 0.7 degree 
of support (myi(^A)=0.7). Also, suppose that mT{hT)=mv{lv)='n^A{lA)=Q- 
From the equations above, we have m'^^({mjf})=0.56, m"*'^({//j,m/j})=0.24 and 
m^^{{iriR,hR})=0.14. These m-values can be used during decision-making pro- 
cesses such as safeguard selection if they are transformed to probabilities by the 
pignistic transformation. 

4.4 Questions with Yes/No Answers 

Now, let us look at risk analysis based on questions that require Yes/No answers. 
This kind of risk analysis often appears in checklist methods. Checklists are used 
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to check if specific controls exist. One simple scoring system with the checklist 
method is to use a percentage of the number of controls in place when compared 
with the number of controls listed in the checklist; this highlights areas where 
many controls are missing. A typical question in the checklist method is ‘ensure 
that the access privileges are managed properly’. Although the analyst has iden- 
tified that well-defined access control lists exist, he cannot give a ‘Yes’ answer 
to this question if he has not examined whether they preserve the principle of 
least privilege. This imperfect information regarding the question gives him only 
a partial belief in ‘Yes’ rather than a definite ‘Yes’. 

Using belief function formulas for an AND-tree [12], we apply the belief 
function approach to the checklist method. AND-tree (figure 2) is a special type 
of evidential network that consists of ‘&’ circles, rounded rectangles and proper 
rectangles. A rounded rectangle represents a variable and a proper rectangle 
represents evidence, which is connected to a variable that it directly supports. A 
‘&’ circle implies that the variable on the left of the ‘&’ is true if and only if the 
variables on the right of the ‘&’ are true. For example, suppose that a variable 
on the left-side of the ‘&’ circle is an asset (A). Also suppose that there are 
n variables on the right-side of the ‘&’ circle and these variables correspond to 
the baseline security controls (Q). Each control variable Ci has two propositions 
{QCi={ci,~'Ci}): one proposition is that the control is in place (cj), and the other 
proposition is that the control is not in place The propositions at the asset 

variable (0A={a,“'a}) are that the asset is secured (a) and that the asset is not 
secured (-•a). 




Fig. 2. Example AND-Tree for Checklist Method 



In the baseline approach [6], we protect an asset by baseline protection, which 
means that the controls listed in the baseline protection manual should be placed 
whenever they are applicable. Therefore, if any of these controls are missing, we 
can say that the asset is not properly secured. This characteristic of baseline 
protection (and therefore the checklist method) suits the AND-tree in that the 
asset is properly secured if and only if all the relevant baseline controls are in 
place. The process for obtaining these marginal m- values is similar to 4.3 except 
that the frame of discernment on the ‘&’ circle reflects the characteristic of AND 
trees. The proof for these equations is detailed in [13]. The marginal m- values 
for the asset variable in an AND-tree are as follow. 






( 7 ) 
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mA{{^a}) = l-YYl^^[l-mci(,{^Ci})] . ( 8 ) 

mA{{a,^a}) = I - mA{{a}) - niAii^a}) . (9) 

Suppose that an organization performs self-assessment of their compliance 
with BS7799-Part2 [1]. There are two controls (n=2) to prevent compromise of 
theft of information and IT facilities (control objective 5.3 in [1]). One is about 
the clear desk policy and the other is about the removal of property. Let us denote 
this control objective by O and the controls by Ci and C 2 respectively. Assume 
that the organization feels that these controls have been implemented with 0.8 
degree of belief for C\ (mci ({ci})=0.8) and 0.3 for C 2 (mc2({c2})=0.3). Also, 
assume that mci({“'Ci})=TOc2({“'C2})=0. From the equations (7)^(9) (but re- 
placing A with O), we have mo({o})=0.24 and mo({o,-'o})=0.76. Therefore, the 
degree of belief that this objective has been met is 0.24. The degree of plausibil- 
ity that this objective has not been met is 0.76, which represents the maximum 
potential amount of support that the objective has not been met. 

5 Conclusion 

We have briefly overviewed some scoring methods that are used in qualitative risk 
analysis. The belief function approach can provide these risk analysis methods 
with the ability to express and manipulate uncertainties that exist in input data. 
The advantage of using the belief function approach is that the result of a risk 
analysis is more reliable in that the analyst’s ignorance has been considered; 
by expressing the uncertainties (by degree of belief and degree of ignorance), 
more reliable risk analysis can be possible. The problem with computerized risk 
analysis tools is that a novice user may generate an impressive risk analysis 
report; even if he does not know the answers to questions, he must provide his 
opinions in many cases and then these opinions are treated as definitive answers. 

Disadvantages of the belief function approach are that there is no detailed 
explanation about measurement of m- values, and this approach usually includes 
some level of computational complexity. The first disadvantage is not limited 
to m-values but is equally relevant in any decision-making problems that are 
based on subjective judgment (e.g., subjective probabilities). The solution for 
the second disadvantage is the use of automated facilities for dealing with belief 
functions. A major trend in risk analysis today is the use of automated risk 
analysis tools. Therefore, a module for belief functions can be embedded within 
automated tools. To date, there has been only limited consideration of uncer- 
tainties within risk analysis. Therefore, the belief function approach need to be 
further examined to obtain sounder risk analysis methods. 
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Appendix 

To obtain m-values for the risk variable from m-values of asset, threat and vul- 
nerability variables, we use some basic techniques in evidence theory (called 
vacuous extension and marginalization) . Vacuous extension deals with the addi- 
tion of extra coordinates to the current frame whereas marginalization deals with 
the dropping of extra coordinates. According to table 2, there are only 8 possible 
combinations of risk, threat, vulnerability and asset values. Let this set of com- 
binations be Q={{Ir,It,Iv,Ia), {rnii,lT,lv,hA), {I R,h ,hv ,l a) , {mR,lT,hv,hA), 
{mR,hT,lv,lA), ihn,hT,lv,hA), {mR,hT,hv,lA), (hR,hT,hv,hA)}- 

This represents the frame of discernment on the joint node where all the 
variables are being put together^. The next step is to extend m-values for threat, 
vulnerability and asset variables vacuously onto 0 so that all the m-values for 
every variable are defined on the same frame (0). The vacuous extension of 
the m-values of the threat variable yields the following m-values (denoted by 

^Tt{R,T,V,A}-^. 

Ta^'^^^''‘''^'A'^({{m!i,hT,lv,lA),(hR,hT,lv,hA),(mR,,hT,hv,lA)AhR,hT,hv,hA)})=mT({hT}), 

m'^^{^''^’'^'^>(0)=?TiT({©T}), and m-values for all other subsets of © are 0. 

Similarly, the vacuous extensions of the m-values of the vulnerability variable 
are as follows: 

jj^vtlR,T,v,A} ,hA),i''R-R!f’-T ,lv ,lA),(hR,hT ,lv ,hA)})='mvi{l-v}), 

^ In general, the joint m-values are defined on the Cartesian product of the frames of 
variables, which has 24 elements for this example. Our approach is based on [13]. 
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jy^Vt{R,T,v,A} ,hv ,hA),(''RR^f>‘T,hv ,lA),(hR,hT,hv ,hA)})=mv ({hv}), 

(^Q)—mv{{Ov}), and m-values for all other subsets of 0 are 0. 

The vacuous extensions of the m-values of the asset variable are as follows: 

'm^'^^^’'''’^’^^{{{lR,lT,lv,lA),i^R!^T,hv,lA),('’RR,h‘T,lv,lA),i''RRtf’'T,hv,lA)})=mA{{lA}), 

{{{mujT ,lv ,hA),iiRR^I-T,hv ,hA),(hR,hT ,lv ,hA),(hR,hT ,hv ,hA)})=mA({hA}), 

{Q)=mA{{OA}), and m-values for all other subsets of © are 0. 

Using Dempster’s rule of combination, we now combine these m-values 
to obtain the joint m-values (denoted by m), which are shown in ta- 
ble 3 (1, 2, 3, 4, 5, 6, 7 and 8 stands for {Ih,It,Iv,^a), {rnRjlTjlvjhA), 
(lR,lT,hv,lA), {rnR,lT,hv,hA), {niR,hT,lv ,1 a), {hR,hT,W ,hA), {mR,hT,hv,lA) 
and {hR,hT,hv ,hA) respectively). From these m-values, we can obtain marginal 
m-values (denoted by m^^) of the risk variable by marginalizing them onto 
the frame of the risk variable (i.e. 0_R={^i?,m/{,/i;j}). Marginalization, similar to 
marginalization of probabilities, sums all the m-values for a given set of elements 
of 0_R, which yields the equations (1)~(6) in 4.3. 



Table 3. The joint m-values for risk, threat, vulnerability and asset variables 



m.({3})=m,T (hv)niA(l a) 

‘m({7})=mT{hT)mv(hv)mA(lA) 

»"({2.6})=mr(©T)mv(iv)iTiyi(?iA) 

»"({3.7})=mr(©T)my 

m({6,8}) = Tn.j.(/i.j.)mv (Sy)mA (hA) 

m({l ,2,3, 4})=‘mT (iT)'mv (&v)’mA(& a) 
7n({l,3,5,7})=mj,(&rp)my (&Y)mA(lA) 
m({3,4,7,8})=mT. (&T)’’^y (^y)f^A(® a) 
m(e)=mT(@T)'my(ey)mA(eA) 



i'n-({2}) = mT(lT)my(ly)mA(hA) 

’m({4}) = mT(lT)mv(hy)mA(hA) 

i'n-({6}) = mT(hj,)my(ly)mA(hA) 

’m({S'})='m.T(hT)my(hy)mA(hA) 

'm({l,3})=mT(lT)'my(&v)mA(lA) 

i'n-({2,4})=mT.(lrr)my(0y)mA(hA) 

'm({3,4})=mT(lT)'my(hy)mA(&A) 

'm({4,8})=mT(QT)'mv(hy)mA(hA) 

i'n-({5,7})=mrr(hrr)my(ey)mA(lA) 

'm({7,8})=mT(hT)my(hy)mA(eA) 

m({l,2,5,6}) = m.j.{©7.)my (iy )m^(0^) 

m({2,4,6,8}) = m.j.(© 7 .)my (0y 

m({5 ,6 ,7 ,8y)='m'r (h'r)my (©y)m^(©^) 

m- value for any other subset is 0 
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Abstract. Web based services and applications have increased the availability 
and accessibility of information. XML (extensible Markup Language) has 
recently emerged as an important standard in the area of information 
representation. XML documents can represent information at different levels of 
sensitivity. Access control for XML document stores must recognise the fine- 
grained nature of the document structure. In this paper we present an approach 
to access control for XML document stores. This framework is based on 
RBAC and includes a syntax for specifying access control policies for the store. 



1. Introduction 

Web based services and applications have increased the availability and accessibility of 
information. It has also increased the need to share information between different 
applications running on different platforms. This in turn has necessitated the need to have 
suitable standards for information representation and transfer. XML (extensible Markup 
Language) [12] has recently emerged as an important standard in the area of information 
representation using markup languages. For technical writers, XML provides a syntax that 
allows them to capture the meaning of their documents. For the enterprise programmer, 
XML provides a syntax for moving data between objects. For the programmer building 
systems to provide e-commerce services between business partners, XML provides a 
syntax to capture the richness of the transactions, making the transactions more accurate 
and timely. XML is a simplified version of SGML. It is easier to learn and use than 
SGML while still providing many of the benefits of SGML. With XML elements have 
tags and one can define nested documents and document types that describe the structure 
of the documents. 

Because XML documents can represent information at different levels of sensitivity, it 
is necessary to develop access control mechanisms that define which part of the document 
can be accessed by whom. Traditionally, the work on access control classifies security 
models into two broad categories, namely discretionary access control and mandatory 
access control. Typically in discretionary access control models leave the specification of 
access control policies to individual users and control the access of users to information on 
the basis of identity of users. In mandatory access control models, the standard approach is 
to have the access defined by a system administrator and employ attributes such as 
classifications and clearances. The need for access control for the web, and XML 
documents stores in particular, has been recognized [1,2,4]. Recently, there has been 
extensive interest in role based access control (RBAC) [5] even though the idea of the use 
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of roles for controlling access to entities and objects is as old as the traditional access 
control models. In the RBAC models, the attributes used in access control are the roles 
associated with the principals and the privileges are associated with the roles. 

In this paper, we consider a role based access control model for XML based 
information objects. Section 2 briefly discusses the characteristics of XML and defines the 
relevant components of the XML syntax. Section 3 describes the characteristics of the role 
based access control model. In section 4, we define the requirements of access control for 
XML based documents. In particular, we consider the various design aspects such as fine- 
grained policy control, propagation and control of policies and modelling of relationship 
between the document type definitions and documents. Section 5 proposes a role based 
access control model for XML and defines the authorisations on target objects, which can 
be documents and document type definitions or both. Section 6 considers the evolution of 
the access control system in terms of the operations that can be defined on roles and 
permission. Finally some conclusions and further work are outlined in Section 7. 



2. XML 

XML is a format for placing any form of structured data on the World Wide Web. The 
type of data covered includes, but is not limited to, graphics, spreadsheets, databases and 
other forms of structured information. For example, an XML document may contain, 
directly or by reference, the complete medical history of a patient. Another XML 
document may represent a database built from such patient records. XML provides a 
means of designing formats for data that are capable of being widely understood, can be 
generated and read by computer and are extensible. The full definition for XML is 
supplied by the W3C [12]. 

The basic component of an XML document is an element. An element is delimited by 
matching start and end tags. A tag of the form <tag-name> marks the start of an element 
and a tag of the form </tag-name> marks its end. An element may have content and 
attributes associated with it. Attributes may only appear within the start tag of an element. 
Their declaration gives their name, type and a default value. Attributes are used to provide 
additional information. One predefined attribute type, ID, may be used to uniquely name 
the element. Another, IDREF can be used to refer to named elements. Between the tags 
of an element is that element’s content. This content may be either other elements or 
character data or both. Element nesting may be to any depth. It can be seen that XME 
documents may be regarded as directed graphs. 

A special type of XME document is the Document Type Definition (DTD). A DTD 
provides the rules for the structure of XME documents. The DTD may be a separate file 
or included with the documents. The DTD provides rules for the element and attribute 
structure of the document. XME documents which conform to a DTD can be thought of 
as instances of the schema represented by that DTD. 

XML documents may be wellformed or valid. A document is wellformed if it 
conforms to the syntax of XML. A document is valid if it conforms to a DTD. Note that a 
valid document is also well-formed. Examples of a DTD and corresponding document are 
given in figures 1 and 2. This example illustrates a situation where there may be multiple 
users of the information. For example, a receptionist may be allowed to consult the 
identification parts of the record (essentially everything other than the treatment records) 
while a doctor may have access to all the information. This is also an example of a 
requirement for different users (or classes of users) to have different levels of access to the 
information within a single document. 
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<!DOCTYPE patient-record [ 

<!ELEMENT patient (name, address, heaith-care-num, treatment-rec*)> 
<!ELEMENT name (#PCDATA)> 

<!ELEMENT address (street, city,postcode,state,teinum)> 

<!ELEMENT street (#PCDATA)> 

<!ELEMENT city (#PCDATA)> 

<!ELEMENT postcode (#PCDATA)> 

<!ELEMENT state (#PCDATA)> 

<!ELEMENT telnum (#PCDATA)> 

<!ELEMENT heaith-care-num (#PCDATA)> 

<!ELEMENT treatment-rec (date,doctor,notes) 

<!ELEMENT date (#PCDATA)> 

<!ELEMENT doctor (#PCDATA)> 

<!ELEMENT notes empty> 

<ATTLIST patient id iD (#REQUiRED)> 

<ATTLIST notes xmi-link CDATA #FIXED “SIMPLE” 
xmi-attributes CDATA #FIXED “HREF URL” 

URL CDATA #REQUIRED> 

]> 



Fig. 1. An Example DTD 



<patient-record id = “PNUM123” 

<name> John Smith </name> 

<address> 

<street> 38, Some Street </street> <city> Somewhere </city> 
<postcode> 1 234 </postcode> <state> NA </state> 

<telnum> 02 1234 5678 </telnum> 

</address> 

<health-care-num> 1234 56789 0 </heaith-care-num> 
<treatment-rec> 

<date> 5-5-00 </date> <doctor> J. S. Who </doctor> 

<notes xml-iink = “simple” xml-attributes = “hred uri” 
uri = “http://www.medcentre.com/treatrecs/PNUM123-1.xml> 
</treatment-rec> 

<treatment-rec> 

<date> 12-8-00 </date> <doctor> J. S. Who </doctor> 

<notes xml-iink = “simple” xml-attributes = “hred uri” 
uri = “http://www.medcentre.com/treatrecs/PNUM123-2.xml> 
</treatment-rec> 

</patient-record> 



Fig. 2. An Example XML Document 



3. RBAC 

The central idea of Role-Based Access Control (RBAC) is the role. A role models the 
functions of a particular job within an organisation (such as programmer, physician or 
shift manager). Permissions are assigned to roles based on the access required for a 
person in the corresponding position to carry out their job functions. Users are assigned to 
one or more roles on the basis of their actual job classifications. Roles therefore embody 
both the access allowed to users and the extent to which resources may be accessed. The 
mappings between users and roles and roles and permissions form a central part of any 
RBAC system. The exact form a permission takes will vary from system to system but 
can be thought of as an authorisation or approval to carry out a particular, specified, 
action. A permission can be as general or highly detailed as required (and the system 
allows). 
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The interaction between users and roles is more sophisticated than a simple mapping. 
Each user has a set of roles (one or more) to which they are assigned. These are generally 
termed the authorised roles for the user. When the user wishes to interact with the system 
they initiate a session. This could be as simple as creating a process. For each session of a 
user there is a set of active roles, which is a subset of the authorised roles for the 
corresponding user. Access for the session is limited to what is available through the 
active roles. 

Roles themselves are usually related through two further concepts, constraints and 
hierarchies. Constraints are used to limit the roles that may be simultaneously occupied 
by a user. This may be either at the level of authorised or active roles. Constraints may be 
simple in nature, for example simple mutual exclusion (which enables separation of duty 
to be modelled) or more complicated, for example limiting the number of members of a 
role on insisting on membership of one role being a prerequisite for membership of a 
second. The form of constraint possible depends on the expressive power of the actual 
implementation, there is no theoretical limitation. 

A role hierarchy is a partial order on the roles within a system. With in the hierarchy a 
role inherits from its ancestors all their permissions. The permissions of the role itself and 
the permissions of all its ancestors within the hierarchy determine the actual access 
conveyed by the role. For example, the role specialist may inherit all the permissions of 
general-practitioner. 



4, Requirements for XML Access Control 

XML documents can embody a wide range of semantic information. The information in a 
document can be presented in a complex structure. Access control policies for XML 
document stores must reflect the rich semantic and structural nature of the information. 
This results in a set of requirements for the design of the access control mechanism for an 
XML document store: 

• Fine-grained policy control 

• Propagation of policy through the document structure 

• Control of propagation through restriction 

• Modelling the relationship between DTDs and Documents 

• Abstraction over sets of subjects 

4.1. Fine Grained Poliey Control 

XML was designed to allow semantically rich documents, both in terms of content and 
structure. Documents can be viewed as having a hierarchical structure. Each element will 
be composed of a number of attributes and/or links as well as, possibly, other elements. 
Access control policies for such documents may distinguish between the different 
elements (or their components) of a document. For example, consider a document which 
lists groups, their individual members and contact details and contains links to technical 
documents produced by the groups. While the contact details may need to be widely 
available, access to the technical documents may be restricted. It follows that only some 
subjects should be given access to the elements which contain the links to these 
documents. Such distinctions must be supported by the access control mechanism. This 
can only be met by allowing access control policies to be expressed at a very fine-grained 
level, i.e. at the granularity of element. 

It could be argued that the access could be specified at an even finer grain than the 
element level, i.e. at the attribute/link level. It should be remembered that the element is 
the semantic structuring unit for XML documents. Within an element there are only 
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attributes, links and sub-elements. In the next sub-section restricting access granted to 
sub-elements will be discussed. If access to sub-elements is not allowed than only 
attributes and links remain. If the set of attributes and links in an element should have 
different access control then an argument could be made that the different groups should 
be placed in separate semantic units (i.e. elements) and the primary granularity remains 
that of the element. However, if such separations are not desired, the changes required to 
the following to refine the granularity to the level of individual attributes and links are 
minor, consisting mainly in some added complexity in the definition of the scope of a 
permission. For space reasons, amongst others, we limit ourselves to the element as the 
base granularity for access control. 

4.2. Propagation 

As argued in the previous sub-section the rich structure of XML documents results in a 
need for policy control which can allow for finer-grained control than document level 
policies would. However, requiring policies to specified on each element (or attribute, 
etc) would be tedious and confusing. Policy granularity must be flexible, reflecting the 
hierarchical structure of XML documents. It must be possible to specify policies at the 
document, element or intermediate levels. It must be possible for policies to propagate 
down the hierarchical structure. This propagation may be defined, for individual policies, 
to be fully down the hierarchy, or limited in some way (e.g., to a number of levels). 
Consider the document of figure 2. If access is to be granted to the address of the patient 
it should only be necessary to specify the policy at the level of the address element (or 
higher) and not individually for each sub-element of address (street, city, etc). 

Such restriction should allow the policy managers to specify how far down the 
hierarchy the access propagates. If it does not propagate at all, than the access applies 
only to the attributes/links of an element, and not its sub-elements. 

4.3. Restriction 

Fine grained access control, which may propagate throughout a document, results in a 
flexible control mechanism. However, it cannot easily implement all possible policies. 
There need to be more limits on the propagation than the fairly coarse one of restricting 
the number of levels of propagation. It is too unwieldy a device to satisfy all 
requirements. For example, it does not easily allow restriction of access to some sub- 
branches of the document hierarchy 

It must be possible to restrict access to certain parts of an XML documents. If 
authorisations are propagated down the tree structure of an XML document or DTD then 
there will be a need for negative authorisations to control the propagation. These negative 
authorisations may themselves be propagated down the document. As noted earlier, while 
a receptionist may be given access to most of the fields of the document in figure 2, the 
receptionist would not be given access to the treatment records. The sensible way to 
handle this would be to give the receptionist access to the document at the patient element 
level. This would then propagate through the document. The access would be restricted at 
the level of the treatment-rec level. The result is two policy expressions, not one per 
element. 

4.4. Modelling the Relationship between DTDs and Doeuments 

While propagation within a document is a useful tool for specifying policies, it is not the 
only form of propagation applicable to an XML document store. Many (if not most) XML 
documents will have a corresponding DTD specification. Often documents which share a 
DTD will also share access control policies. It would therefore be useful to be able to 
specify policies on a DTD which propagate to documents based on that DTD. This 
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propagation is orthogonal to the propagation along the hierarehical strueture of documents 
and DTDs 

As a corollary of this there must be the ability to specify the precedence of policies at 
the DTD and documents levels. Normally those at the individual document level would 
take precedence (if they exist). It must be possible to specify other preeedenee orders. 
Taking our example from the previous sub-seetion further, it would probably be preferable 
if the policy outlined eould be applied the DTD and then extend to all patient reeords, 
rather than have to state it for each record. 

4.5. Subjects 

Accesses to an XML document store will likely be from a variety of locations. Some will 
be local to the store, others remote. Given the potentially rich semantic content of such a 
store it is also likely that the users requesting access will form a diverse set. It is 
obviously unrealistic to require the store to maintain policies individually for each user. 
Instead, it should be possible to abstract over this diverse set of users. 

Various techniques for such abstraction exist, including groups and roles. Roles offer 
more semantic power due to the ability to define relationships between the various roles 
via a hierarchy of inheritance. Groups tend to be distinct, unrelated, structures. For this 
reason, amongst others, we will use roles to abstract over the users accessing the document 
store. More details on this is given in the next section. For our (simplistic) medical 
example, it may be desirable to divide users into two classifications - receptionists and 
doctors. 



5. RBAC for XML 

As outlined in the previous section one of the requirements for an access control 
mechanism for an XML document store is the ability to abstract over subjects. A high 
proportion of the subjects seeking access to the store will not be from the same node or 
local network as the store itself. In such circumstances it is unwieldy for the store (or its 
access control) to record the subjects individually. The subjects will need to be classified, 
allowing single policies to apply to groups of subjects. 

The most common methods for such classification are assigning users to groups or to 
roles. In many ways groups and roles are similar. Both allow subjects to be grouped 
together. Both allow single polices to apply to multiple subjects. However, roles have a 
significant advantage over groups for expressing access control policies for an XML 
document store available to a distributed user base. These advantages are 

• Roles can be formed into hierarchies. 

• Roles allow different sessions of the one subject to have different privileges. 

• Privileges are stored with the role, not the object. 

Most group-based access control treats groups as completely separate and unrelated 
collections of subjects. It has been said that roles are merely groups structured 
hierarchically, with one role (group) consisting of other roles (groups). While this is an 
oversimplification, the ability to structure roles hierarchically does yield enhanced 
expressiveness. Roles allow the classification of subjects to be structured. This allows for 
a more easily understood and managed view of subjects. 

Given the anticipated widespread use of XML it has to be expected that access control 
policies for XML document stores will be managed by users who are domain specialists, 
not computing specialists. RBAC is known to have advantages in modelling real-world 
organisations [7] and should be suitable for describing access control policies for XML 
document stores. 
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It is possible that RBAC would be used both at the XML document store and at the 
home site of remote users. This would mean that subjects would be assigned to roles at 
their home system. The document store could accept the role assignments of remote users. 
Some suggestions for distributed RBAC have proposed that the system where access is 
requested simply accept the role assignment made at the subject’s home or, implicitly, 
assume that both subject and document store employ the same role hierarchy [6,9,11]. 
Even where the later is correct the acceptance of remote role assignment is potentially 
dubious and does not reflect real world practice (one of the stated strengths of RBAC). 
For example, simply because a user is a programmer at their system does not 
automatically meant hey should be accorded all the privileges of a programmer at a remote 
system. It is also simplistic to assume the roles and the role hierarchy will be uniform 
across all home nodes and systems of users of a given document store. 

The node on which the document store is held cannot simply accept the role 
assignments (or other access control decisions) made at a remote node. This means that 
the node at which access is requested will have to make some mapping between the 
remote roles for the subject and existing local roles. This becomes especially true when 
the role hierarchies at the local and remote nodes show little, if any, similarity. 




Fig. 3. Role Assignment for Remote Access 

Normal practice in access control is to give a subject access to objects subject to 
policies laid down by the store (or system) administrator. This will require the 
administrator to create policies which specify the translation between remote and local 
role assignment. This will usually result in a lower level of access being granted than if 
the remote role assignments were used unchanged. This is not unreasonable - in the real 
world a visitor usually has much lower access than local staff. If no explicit policy exists 
on how to treat a particular remote role assignment than default policies assigning such 
subject to very low privilege local roles can be formulated. Where the remote role 
assignments are recognised (on the basis of remote system and assignment) more informed 
decisions can be made, on the basis of explicit policies. The architecture for role 
assignment is illustrated in figure 3. Note that the decisions about role assignment made 
by the policy managers in both systems will affect the access of the user in the remote 
system 

When a subject presents a request for access the document store only needs to be 
concerned with the current role assignment of the subject. This will probably be presented 
within a certificate signed by an authority within the subject's home system. We assume 
that the access control system of the document store has trust (either directly or indirectly) 
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in this authority. The access control system only needs to be concerned with the current 
active roles of the subject (the dynamic situation) not the long term static role 
authorisations. Groups tend to be much more static, concerned with the long term 
grouping of subjects. This again makes roles more suitable for an XML environment. 

In an RBAC system privileges are stored (logically at least) with the roles, not the 
objects. The makes the determination of the access allowed via a particular role an easy 
matter. Storing privileges with objects makes the determination of a subject’s total access 
a time-consuming and difficult question. Given that an XML store is to be available to 
remote subjects the question of the total access allowed such users is relevant. Again the 
RBAC approach appears suitable as it provides an easy way to determine the access 
available to a remote subject. 

When after a user has established a remote session and been assigned local roles, as 
illustrated in figure 3, that session can be used to access XML documents in the local 
document store. This process is displayed in figure 4. 




Fig. 4. Access request validation 

In the following subsections we present a syntax for use by the human policy manager 
in setting polices which are enforced by the automated authorization manager. The 
algorithm used by the authorization manager in deciding whether or not to grant a 
requested access is given in section 5.7. It could be argued that XML should be used as the 
basis for the specification of policy. However, this may not be the best syntax for the 
policy manager to use. We present a more friendly, high-level syntax. However, there is 
nothing to prevent the actual storage representation of these policies being in XML. The 
possible translation between the syntax presented here and XML is not discussed and is 
left for future work. 

5.1. Authorisations 

The actual authorisations in an RBAC system are expressed in the permissions (policies), 
which are then grouped together within the roles themselves. The requirements outlined in 
section 4 give us the following broad structure for a permission for an XML document 
store 

• Target identification - may be for one or more DTDs and/or documents 

• Element identification - to which elements within the DTD (document) does the 
permission apply 

• Propagation - does the permission propagate beyond the specified elements and if 
so, how 

• Authorisation - does the permission convey positive or negative (denial) 
authorisation 
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• Priority - does the permission override the normal rule for propagation of 
authorisations between DTDs and documents. 

This broad outline of a permission obviously applies to XML document stores in 
general and is not limited by the adoption of RBAC. It could be converted into an actual 
syntax in many ways. That which we give below is based on our language for object- 
oriented RBAC systems, called Tower [8]. 

We assume the following default precedence rules: 

• authorisations specified for a DTD propagate to documents based on that DTD but 
are overriden by conflicting permissions expressed explicitly on the document. 

• negative permissions override positive permissions 

The basic syntax for a permission is: 



permission_name := [priority] permission | negpermission 
target {fargef_o/t/, targetjaid, ...} 

[path [noi]{path_expression,path_expression,...} 
\propagation_rule ]] 

[condition_expression] 

end_permission 



5.2. Priority and Access 

The optional key word priority is used to specify whether or not the access granted by the 
permission overrides (has priority over) the normal precedence rule of DTD permissions 
being subordinate to document specific permissions. If the permission is given priority 
then the access it specifies on any target DTDs overrides any conflicting access specified 
for documents which conform to those DTDs. We provide no mechanism to override the 
priority negative permissions have over positive permissions. While this could have been 
provided we believe that this could lead to difficult to understand policy expressions. It 
also raises the question of whether it should be possible to override the override. DTD to 
documents is a single level transfer. Positive and negative permissions could, in theory, 
override each other indefinitely through the hierarchical document structure and this is 
undesirable 

The second key word within the permission (permission or negpermission) specifies 
whether the permission grants (permission) or disallows (negpermission) access. While a 
permission can apply to targets (both in terms of documents and of elements/attributes 
within those documents) the form of access that it gives to its targets is the same, either 
positive or negative. 

5.3. Target Documents and Elements 

After the keyword target is a list of object identifiers which are the targets for the 
permission. These may be for documents, DTDs or both. The object identifiers are 
expressed in whatever syntax is applicable to the host system of the store. 

After the ke 5 rword path is an optional set of path expressions. These specify the 
elements of the documents to which access is being granted or denied by the permission. 
We use Xpath [13], the XML path language for these expressions. An expression in Xpath 
is a sequence of names and identifies one or more elements in the target document. Note 
that, by default, we take the initial context for the resolution of the X-path expressions to 
be the target document. An access request will specify the parts of the document to which 
access is sought. Each path expression in a permission is evaluated to determine if it 
matches the path expression in the request. The optional keyword not simply allows a 
short hand for defining the scope of the permission. Then if the path in the access request 
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matches none of the paths in the permission, the permission applies. If no path expression 
is included within the permission then the access defined in the permission is for all 
elements of the target objects. 

5.4. Propagation and Conditions 

The propagation_rule defines how the access granted by a permission propagates to the 
children of the explicitly named elements. By children we mean its descendants in the 
hierarchical structure of the XML document or DTD. The syntax for this clause is 



propagation rule: recursion {target_spec} 
recursion: local | [n]recursive 
target_spec: attributes | links 



If the propagation is local then the permission only applies to the attributes, links and 
data of the specified elements (as defined by the target specification). The level of 
recursion, if any, is specified by the use of the ke 5 rword recursive. If used without a 
limiting integer than the permission applies to all attributes and links (as restricted by 
target specification) of the elements, their sub-elements and further sub-elements. 
Including an integer limits the recursion (e.g., a 1 limits the permission to the elements and 
their direct sub-elements only). 

A permission automatically applies to any data of the governed elements. The 
target_spec specifies whether the permission also applies to attributes and/or links. If no 
target specification is given the permission applies only to the data of the elements given 
by the path expression, and possibly sub-elements, as specified by the propagation. It does 
not grant or deny access to links or attributes. 

If the propagation rule is not specified, it is assumed to be recursive and apply to both 
attributes and links as well as data. 

The condition_expression is a boolean expression which is checked before access is 
granted or denied. The permission only takes effect (negatively or positively) if the 
boolean expression evaluates to true. The expression may include checks on environment 
variables, such as time of day or physical location. For more detail see [8]. 

5.5. Roles and the Aecess Control Algorithm 

A role is not simply a collection of permissions. Two other important components of the 
role concept are the role hierarchy and constraints [10]. The role hierarchy allows roles to 
be composed of other roles. For example, if role rl has permission pi and role r2 inherits 
from rl then the access allowed by pi is also available through r2. Constraints place 
restrictions on how users are assigned to roles. The syntax for a role is as follows: 



role_name := role 

[constraint_expression] 

[roles {role, role,...}] 

[permlssions{permission, permission,...}] 

end_role 



Constraints in a role may be used to impose restrictions upon whether a user may have 
this role added to his/her set of roles, or whether a user may add another role while 
possessing this one. Such a constraint is specified as a Boolean function which must 
evaluate to true if the role is to be added. A short hand is provided for the common case of 
exclusion, which is that possession of the current role is mutually exclusive with the roles 
in the role set. 
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I exclude role_set | 

Requests for access in a XML document store will need to specify the following 
information: 

• a session identifier, which can be used to identify a user, u 

• the identity of the XML document(s) being accessed, d 

• the portions of the document(s) being accessed, identified by Xpath path 
expression(s), p 

Conceptually an access request takes the form access(s,<i,/?), where d and p may be 
singular or sets. If multiple documents are accessed they must adhere to the same DTD so 
that the path expressions in p can apply to all documents d. 

The access control system will report whether the access is to be allowed or disallowed, 
according to the following algorithm: 
for each active role r, for the session, 5 
for each permission p^ of r,. 

if t/ is a target of p, and if the elements and/or attribute s/links 
identified by p are covered by p,. and the condition expression of 
p, evaluates to true 
allow the access 

6. System Evolution 

The structure of roles defined in the previous section, essentially consisting of a set of 
roles (for inheritance) and a set of permissions. As the system evolves, any of these 
structures may need to have their values updated. Set operations may be applied to each 
of these structures, for example 



R1 := R1 +{P1,P2} 



Role R1 now has permissions PI and P2 added to its set of permissions. Although a 
role has two sets, the fact that values being added are permissions makes it clear that the 
update must be to the permission set of the role. Therefore we can simply use the role 
name without further qualification. The same applies to the sets of a permission (i.e. its 
targets and path expressions). 

Further forms of alteration are possible, as in the following examples: 



R:={P1,P2} 



The permissions in R are now PI and P2. 



R1 := R1 + {R2.R3} 



R1 has R2 and R3 added to its roles 



R1 := R1 - {R4} 



R4 is no longer one of R1 ’s roles 

The system can determine if the roles or permissions of a role are being updated by 
resolving the names on the right hand side of the assignment statements. 
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The other information held in a structure may also be updated within assignment 
statements. For example, the condition within a permission may be added to. For 
example, 



P1 := PI + condition_expression 



The new condition expression for the privilege is formed by joining the previous 
expression and that in the assignment statement with the and conjunction. 



7. Conclusions 

Defining access control in web based services is becoming increasingly significant due to 
the growth in Internet and E-Commerce applications. XML is fast becoming a de-facto 
standard for representing documents and information in web based services and 
applications. Access control for an XML document store must reflect the potential for fine 
grained nature to the store and provide a flexible format for specifying policies over the 
document structures. While some work on using XML for RBAC [3] has been done, it 
focuses on intranets, not remote access via the web and does not consider whether XML is 
a suitable medium in which managers an express policy. Other uses of XML for access 
control do not apply an RBAC approach [1]. 

The access control proposal in this paper, centred on RBAC, meets the criteria 
identified for access control of XML document stores. It also easily allows for abstraction 
over subjects, which is necessary to easily allow remote access through the world wide 
web by large numbers of users. We have defined structures for specifying roles and the 
privileges available through them and have also described operations to allow for 
evolution of the access control structures themselves. The syntax is flexible and user- 
friendly. We believe that such a model can be used to specify access control in practical 
web based systems and can be easily integrated with existing applications. Further work in 
this area include the development of tools for access control policy management, and in 
the translation of our syntax into XML documents. 
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Abstract. We consider secret sharing with binary shares. This model 
allows us to use the well developed theory of cryptographically strong 
boolean functions. We prove that for given secret sharing, the aver- 
age cheating probability over all cheating and original vectors, i.e., 
p ~ ^ ■ 2~" X/aev satisfies p > and the equality holds 

pc, a satisfies pc, a = \ for every cheating vector Sc and every origi- 
nal vector a. In this case the secret sharing is said to be cheating immune. 
We further establish a relationship between cheating-immune secret shar- 
ing and cryptographic criteria of boolean functions. This enables us to 
construct cheating-immune secret sharing. 



1 Introduction and Background 

Since its invention in 1978 by Blakley [2] and Shamir [9], secret sharing has 
evolved dramatically. Initially, it was designed to facilitate a distributed stor- 
age for a secret in an unreliable or insecure environment. Later, however, secret 
sharing has been incorporated into public key cryptography giving rise to the 
well-known concept of group or society oriented cryptography (see [5]). Now 
secret sharing is one of the basic cryptographic tools with variety of very in- 
teresting schemes based on algebraic or geometric structures. Tompa and Woll 
[11] observed that Shamir secret sharing can be subject to cheating by dishonest 
participants. The cheater is able to recover the valid secret from the invalid one 
passed by the combiner. As the result, the honest participants are left with in- 
valid secret while the cheater holds the valid one. This observation is true for all 
linear secret sharing. The cheating attack can also be extended for geometrical 
secret sharing. Cheating prevention can be considered in the context of condi- 
tionally and unconditionally secure secret sharing. We focus our attention on 
unconditionally secure secret sharing. In this setting, cheating can be thwarted 
by (1) share verification by the combiner ~ all invalid shares are identified and 
discarded, where the key recovery goes ahead only if there are enough valid shares 
to recover the valid secret (see [3,4,6]), and (2) discouraging cheaters from send- 
ing invalid shares to the combiner - this argument works if the cheater gains no 
advantage over honest participants. In other words, sending invalid share will 
result with recovery of an invalid secret which gives no clues to the cheater as 
to the value of the valid secret. We intend to consider a class of secret sharing 
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for which, a cheating participant is no better off than a participant who tries 
simply to guess a secret. Ideally, the probability of successful cheating should 
be equal to the probability of guessing the secret by a participant. To make our 
considerations explicit, we assume that secret and shares are binary. For this 
case we prove that there is a secret sharing, further in the work called cheating 
immune^ that gives no advantage to a cheater making it, in a sense, immune 
against cheating. 

Secret sharing allows a group of participants P = {Pi, . . . , P„} to collectively 
hold a secret K € JC, where /C is a set of elements from which the secret is 
drawn. Secret sharing is created by a trusted algorithm called a dealer who 
for a given secret, generates a collection of shares Si G 5, where 5 is a set of 
shares. Note that st is given to Pi, i = 1, . . . ,n. The collective ownership of the 
secret is defined by the access structure of secret sharing. The access structure 
P is a collection of subgroups of P that are authorized to recover the secret. 
An authorized group of participants A £ F is able to reconstruct the secret by 
invoking a trusted algorithm called combiner. The combiner always returns the 
valid secret if the group A submits their valid shares. If the group, however, is 
too small, i.e. A ^ r, then the algorithm returns a value which is not the valid 
secret (with an overwhelming probability). In this work, we describe a secret 
sharing by a set of distribution rules [10], where a distribution rule is a function 
f :P ^ S that represents possible distribution of shares to the participants. In 
other words, secret sharing is a set T = UiceK where Tk is a distribution 
rule corresponding to the secret K. Equivalently, T can be presented in the form 
of distribution table T. The table has {n + 1) columns - the first one includes 
secrets and the other n ones list shares assigned to participants (Pi,...,P„), 
respectively. Each row of the distribution table specifies the secret for a collection 
of shares held by V. Note that Tk can be seen as a part of the distribution table 
with rows whose first entry is K. This table is denoted by Tk- Most of practical 
secret sharing schemes are linear and therefore subject to an attack observed 
by Tompa and Woll [11]. The attack permits a dishonest participant who at the 
pooling stage submits an invalid share, to recover the valid secret from an invalid 
one returned by the combiner. 



2 Model of Cheating 

We introduce the following notations. Set a = (si, . . . , s„), the sequence of shares 
held by V and the secret K = /(a), and a* = (si, . . . , Sc-i) 1 ® So Sc+i, . . . , s„), 
the sequence of shares submitted to the combiner where Pc modified her share. 
Set dc = (0, . . . , 0, 1, 0, . . . , 0) where all zero except the c-th position. 6c repre- 
sents modification done by the cheater and K* = /(a*) is the invalid secret re- 
turned by combiner. Let 17* = |(a:i, . . . , Xc-i, Sc, Xc+i , . . . ,x„)| f{xi, . . . ,Xc-i, 
l©Sc, Xc+i, . . . ,Xn) = K*}, the set of all shares taken from rows of T containing 
a and K which are consistent with the invalid secret returned by the combiner. 
The set 17* determines the view of the cheater after getting back K* from the 
combiner. Let Fla = {{xi, . . . ,Xc-i,Sc,Xc+i, ■ ■ ■ ,Xn)\ f{xi, . . . ,Xc-i,Sc,Xc+i, 
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. . . ,Xn) = K}, the set of rows which contain the current share of Pc and the 
valid secret K. The function / is called defining function. The nonzero vector 
Sc = (0, . . . , 0, 1, 0, . . . , 0), where only the c-th coordinate is nonzero, is called 
the cheating vector, a = (si, . . . , Sn) is called the original vector. The value of 
Pa = ff{^ai^^a)/ff^%, where ffX denotes the the number of elements in the set 
X, expresses the probability of cheater success with respect to a = (si, . . . , s„). 
As the original vector a = (si, . . . , s„) is always in 17* fl 17 q,, the probability 
of successful cheating is always nonzero or pc,a > 0. Given secret sharing with 
its defining function / on The value of Pc = 2“” P^,a is the average 

cheating probability over all original vectors in Vn for a fixed cheating vector. 
The value of p = ^ Pc = Y.c=i T.aev„ P<=,a is the average cheating 

probability over all cheating vectors (with Hamming weight one) and all original 
vectors in Of course p depends on particular /. 

Theorem 1. Given secret sharing with its defining function f on Vn. Then for 
each fixed integer c with 1 < c < n, we have PcP \ where the equality holds 4=^ 
Pc, a = \ for each a G Vn. 

Proof. Write y = {xi, . . .,Xc-i) and 2 = {xc+i, . ■ ■ ,x„). Set Ri = {{y,z)\f{y, 
1 , z) = 1, /(j/.O, z) = 1}, i?2 = {{y,z)\f{y,l,z) = 1, /(y,0, z) = 0}, R3 = 
{{y,z)\f{y,l,z) = 0, f{y,0, z) = 1}, Ri = {{y,z)\f(y,l,z) = 0, /(j/,0, z) 

= 0 }, and ffRi = Vi, i = 1 , 2 , 3, 4 . Obviously ri + r2 + ra + r4 = 2 ”“^. Let 

/ 3 i G Vc_i, fi2 G Vn-c and a = (/3i,0,/32) or a = (/3i,l,/32). By definition, pc,a 
can be expressed as follows: ( 1 ) when a = (/3i,0,/32) with (/3i,/32) G R\, 

( 2 ) when a = (/3i,0,/?2) with (/?i,/?2) G R2, ( 3 ) yj^ when a = (/3i,0,/32) 
with (/3 i,/32) G i?3, ( 4 ) yj^ when a = (/3i,0,/?2) with (/3i,/?2) G i?4, ( 5 ) yy^ 
when a = (/3i,l,/32) with (/3i,/32) G i?i, (6) when a = (/3i,l,/32) with 

(/?i,^ 2 ) G i? 3 , (7) when a = with (/3i,/32) G i? 2 , (8) y^ 

when a = (/3i,l,/32) with (/3i,/32) G Ri. There exist following two cases to be 
considered: 

Case 1 : Rj U yf 0 for each {j,i) G {( 1 , 2 ), ( 3 , 4 ), ( 1 , 3 ), ( 2 , 4 )}. In this 

case Vj + ri yf 0 for each (j,t) G {( 1 , 2 ), ( 3 , 4 ), ( 1 , 3 ), ( 2 , 4 )}. Therefore pc = 

2 2 2 2 2 2 2 

2 -ny^ ^ 2 ~n/ ^1 I ^2 I ^3 I ^4 I ^1 I ^3 I ^2 

''ri+T2 ~^ri+r2 ~^ra+r4 ~^ra+r4 ~^ri+r3 ~^ri+r3 ~'~r2+r4 

+ T2+T4 ) • °^a+b — + b) for any two real numbers 

a, 6 > 0 with a + 6 > 0 where the equality holds 4 =^ a = b. Therefore Pc > 

2 “”(K^i + ^2)+5(?’3 + r4) + 5 (ri + r3) + 5 (r 2 + r4)) = 2 “”(ri + r 2 + r3 + r4) = 5 

where the equality holds 4 =^ ri = V2 = r^ = ri 4 =^ pc,a = 5 for each a G Vn. 

Case 2: Rj^ GRi^ = 0 for some (jo, zq) G {(1, 2), (3, 4), (1, 3), (2, 4)}. Without 
loss of generality let U i?2 = 0 - Thus n = r2 = 0 and thus ra + r4 = 2 ”“^. 
There exist following two cases to be considered: 

Case 2 . 1 : Rj U i?i yf 0 for each (j,z) G {( 3 , 4 ), ( 1 , 3 ), ( 2 , 4 )}. In this case 
rj + r, yf 0 for each (j,i) G {( 3 , 4 ), ( 1 , 3 ), ( 2 , 4 )}. Thus Pc = 2 "”EaGy„^c,a 

= 2-”(yy^ +yy^ ^ n = T2 = 0, we have Pc = 

2-" Easy, Pc, a = 2-”(^ + ra + r4) > 2-"(4(ra + r4) +ra + Vi) = |. 
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Case 2.2: Rj^ U = 0 for some G {(3, 4), (1, 3), (2, 4)}. Recall that 

rs + Ti = 2”“^. Thus (ji, ii) (3,4). Without loss of generality let Ui ?3 = 0. 

Thus T 3 = 0 and r 4 = 2"“h Therefore pc = 2“” 

2 

+ rj+n ) • Since V 2 = rz = 0 , we have pc = 2 “”(r 4 + r 4 ) = 1 . 

Summarizing Cases 1 and 2, we have proved that Pc^ \ where the equality 
holds 4=^ Pc, a = \ for each a G C„. □ 

Theorem 2. Given secret sharing with its defining function f on Vn- Then 
~p \ where the equality holds 4=^ pc,a = \ for each integer c with 1 < c < n 
and each a €V„. 

Proof. By using Theorem 1, we have p = ^ X)c=i Pc > Assume p = |. 
Since fi = \ and pc > c = 1, . . . ,n, pc = \, c = 1, . . . ,n. Due to Theorem 1, 
Pc, a = \ for each integer c with 1 < c < n and each a G Vn. We have proved the 
necessity. The sufficiency is obvious. □ 

3 Cheating Immune Secret Sharing and Its Construction 

Due to Theorem 2, if min{pc,a|o: G 1 < c < n} < | then max{pc,a|o G 
Vm 1 < c < n} > |. Naturally it is desirable that Pc,a = | for each integer c 
with 1 < c < n and each a G Vn. In this case the secret sharing is said to be 
cheating immune. Due to Theorems 1 and 2, we conclude 

Corollary 1. Given secret sharing with its defining function f on C„. Then the 
following statements are equivalent: (i) ~p = \, (ii) Pc= \ for each integer c with 
I < c < n, (Hi) Pc, a = 5 for each integer c with 1 < c < n and each a G Vn. 

Cheating immunity of secret sharing can be investigated in the context of 
well-known characteristics of the defining function / such as resiliency (see [14]) 
and the SAC (see [12,13]). 

Theorem 3. Given secret sharing with its defining function f onVn. Then the 
secret sharing is cheating immune 4=^ / is 1-resilient and satisfies the SAG. 

Proof. We keep using the notations in the proof of Theorem 1. It is easy to verify 
that f{xi, . . . ,Xn)\xc=i is balanced (1-resiliency) 4=^ ri -I- T 2 = T 3 -|- r 4 , while 
f(xi, . . . , Xn)\xc=o is balanced (1-resiliency) 4=^ ri-|-r 3 = r 2 -l-r 4 . From the proof 

of Theorem 1, f{x)®f{x®6c) = | ^ g R 2 U R 3 ’ f{^)®f{x®Sc) is 

balanced (SAC) 4=^ ri-|-r 4 = r 2 -l-r 3 . Note that ri-|-r 2 = r 3 -|-r 4 , ri-|-r 3 = r 2 -l-r 4 
and Ti-|-r 4 = r 2 + rs together 4=^ r\ = r 2 = r^ = r^. From the proof of Theorem 
1, ri = T 2 = r -3 = T 4 4=^ pc,a = | for each a G C„. Due to the arbitrariness of 
the integer c with 1 < c < n, the proof is completed. □ 

Based on Theorem 3, to construct an cheating immune secret sharing scheme, 
we need a 1-resilient function on Vn satisfying the SAC. 
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Theorem 4. Let n > 0 be an even integer. Then there exists a secret sharing 
with its defining function f on V„ such that (i) this secret sharing is cheating 
immune, (ii) the nonlinearity (see [14]) of f is equal to 2 ”“^ — 25”. 

Proof. Let ft- be a bent function [7] on Vn-2 {n is even). Set 5 ( 0 : 1 , . . . , a:„_i) = 
( 1 © a;„_i)ft(a:i, . . . , Xn-2) © a:„_i(l© ft(a:i © oi, . . . , a;„_ 2 © an-2)) where the 
Hamming weight of (oi, . . . , an-2) is ^n—1. Set f{xi, . . . , a;„) = {l®Xn)g{xx, . . . , 
®Xng{xi®l, . ■ • , a;„_i©l). From the proof of Theorem 17 of the reference 
[8], / is 1-resilient, satisfies the SAC and has a nonliearty 2"“^ — 25 ". Due to 
Theorem 3, the secret sharing with defining function / is cheating immune. □ 

4 Conclusions 

For given secret sharing, the average cheating probability p over all cheating and 
original vectors, satisfies p > 5 , and the equality holds 4=^ the cheating proba- 
bility Pc, a satisfies pc,a = \ for every cheating vector 5c and every original vector 
a. In this case the secret sharing is said to be cheating immune. We further have 
found a relationship between cheating immune secret sharing and cryptographic 
criteria of boolean functions, and then we have successfully constructed cheating 
immune secret sharing with a highly nonlinear defining function. 
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Abstract. Recognizing that a trusted, highly random, series of bits is the 
currency of modem cryptography, one may opt for a physical contraption that 
houses a supply of random bits, ready for safe and versatile use by individuals 
and organizations. Usage ranges from a steady supply of random keys to the 
prevailing symmetric and stream cryptographies, and up to raw one-time-pad 
protocols. The contraption dubbed encryption stick, e-stick, or Randomat 
enables one to establish a virtual identity which is highly secure against 
exposure, and thus empowers people towards candid exchange, anonymous 
transactions, and wholesale transparency of issues, with potentially broad social 
implications. The e-stick will be cash purchased in a public shop (anonymity), 
and this off-Internet item will protect its user from the pervasive data nakedness 
in cyberspace. 



1 Introduction 

Two individuals who wish to communicate securely need nothing more than a large 
enough supply of random bits. Applying the One-Time-Pad encryption (Vemam 
1917), they would sit pretty with an unbreakable ciphertext. The only reason for this 
scenario not to have happened (on a broad basis), is the difficulty in generating the 
necessary random bits — ready for use, when needed. This difficulty has two aspects: 
true randomness, or close enough to it, is a technical challenge, and making such 
random bits available to the parties — when they are ready to communicate — is a 
distribution challenge. 

Owing to these obstacles, the science of cryptography has not been finalized right 
there in 1917, when Gilbert S. Vemam [1] invented his theoretically secure cipher. 
Cryptography since then made due with shorter strings of random bits, and later found 
a way to exchange such strings between strangers — mounting the distribution 
challenge. With all that huge body of work that transpired in the last eighty some 
years, the state of the art is such that the tmstworthiness of the supply of random bits 
is a matter of debate. Random bits used in block ciphers and stream ciphers are first 
communicated through asymmetric ciphers for which there is no proof of security. In 
other words, we sport the risk of a cryptographic catastrophe. The original knapsack 
algorithms have by now been discredited by virtue of effective cryptanalysis. The 
only viable alternative is RSA and its variants, which rely on the difficulty of 
factorization, and those methods which rely on the difficulty of computing discrete 
logarithms. In both cases the difficulty is reduced to matrix inversion. For n’‘n size 
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matrices, the old Gaussian methods require n steps. Strassen has reduced it to = 
n and Coppersmith and Winograd have further reduced it to n [2], So much is 
in the public domain. One can not dismiss the possibility that non-public entities have 
come closer to n\ All this implies that the mainstay of random bit distribution is of 
questionable trustworthiness. And since random series may be regarded as the 
currency of cryptography, such doubts overshadow the whole field of data security. 

In light of such apprehension, it was deemed appropriate to revisit the original 
question of making randomness available to anyone who wishes to communicate in 
privacy or secrecy. 

Cyberspace is intrinsically open. The flow of data is easily intercepted, re-routed, 
modified, etc. It would seem that since secrecy and privacy depend on the integrity of 
the underlying randomness, that such precious a resource should originate outside 
cyberspace. This situation brings to mind what Archimedes long ago said: Give me 
a point outside Earth, and I will move the planet, with a big enough lever’. If we find 
a way to put randomness in the hands of users — outside the Internet — then we will 
have a way to use the Internet with impunity. 

Technology today enables us to cram several megabytes of data in a thumbnail size 
device, at a low price. This technology, if it were available in 1917, would most 
likely have sealed the science of cryptology with the invention of Mr. Vemam. 
Today we may use it either for Vemam or for any of the prevailing cryptographies all 
based on intractability, and all require a hefty supply of trasted randomness. 
Moreover, we may distribute these containers of randomness (to be called encryption 
sticks, e-sticks or Randomats), through distribution channels which handle tangibles 
like food and clothing. Users would purchase an encryption stick for cash, 
anonymously, and then use it in cyberspace. 



2 The Device 

Functionally the e-stick amounts to a container of random bits which are highly 
protected against unauthorized use. For a rough analogy consider the familiar battery. 
A “AA” battery will power a wide range of electrical devices. Each device draws 
power from the battery at its special rate. When the battery is exhausted it is being 
replaced. It is similar with encryption-sticks. The stick will supply random bits to a 
large variety of applications. Some will exhaust it faster, some will use the bits 
sparingly. Much as a radio listener will opt for louder music and pay with a rapid 
depletion of his batteries, so an e-stick user might empty his stick quickly but gain a 
higher measure of security. By using One-Time-Pad the bits will disappear very fast, 
but the user will be compensated with the knowledge that his encryption is 
theoretically unbreakable. Large keys offer the advent of cryptographic equivocation 
(not just the customary intractability). As Shannon [3,4] has shown, equivocation is 
the foundation of theoretical security. Recently, AGS Encryptions Ltd. introduced 
variable equivocation cryptography where the user balances off security vs. key 
size. [5]. In mainstay cryptography security increases with the frequency of changing 
keys. So again, the user will decide how fast to consume the e-stick bits. Technology 
will continue to offer more bits per dollar and per stick-size, and this will drive down 
the price of security. 
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The authorized use will be: (1) independent, stand-alone, encryption; (2) "Say and 
Stay" — bit output ; (3) "Say and Forget" — bit output. All will be expressed in two 
physical security modes: (a) no access authentication., (b) access authentication. 
There will be two versions, one where access will be verified, one without. 

Physical security will be achieved via tamper-resistant construction and the option 
to authenticate the identity of the user. Tamper proof construction will be based on 
sensors and indicators that will detect an attempt to pry open the device, and will react 
by obliterating the data therein. 

The option to authenticate the user will be based on an access code that will be 
built into the device and only by supplying it will the device respond with the 
contents of its bits. Such access code may be linked to any of the prevailing access 
control solutions available at the time. 

The access port will accept: (1) normal authentication code ; (2) silent alarm code; 
(3) wrong codes. 

The normal authentication code will allow for normal operation. The silent alarm 
code will trigger an action that would look as if the stick operates properly but in fact, 
it won’t. The wrong code will kill the stick’s operation. The silent alarm mode will 
have several options. The simplest among them is to re-randomize the Randomat’s 
contents. Such re-randomization might occur by XOR-ing fixed size bit strings 
among themselves. 

In “Stand Alone Encryption” the device will have an input port for the original 
message, and an output port for the encrypted message. The ports will reverse their 
input/output role for the respective decryption process. In that mode one could use 
raw One-Time-Pad. In that case the encryption bits will be erased as they are being 
used, so that only a duplicate e-stick can decrypt them. In that respect it will be 
similar to public-key encryption. The encrypting party will not have the means to 
decrypt its own encryption. 

In another option, using Daniel [5], only parts of the random bits will be erased, 
and the rest will remain in the device. Yet, in another option, when security demands 
are not as stringent, the device will be usable again and again, for encryption and 
decryption (bits at “Say-and-Stay” mode), and security will be hinged on guarding the 
device itself 

In “Say-And-Stay” mode the user asks for the value of a particular bit, the device 
responds with that value, but keeps the value in tact so it can be queried again. 

In the “Say-and-Forgef’ mode, the device responds to a query by providing the 
user with the value of a requested bit, but right away destroys that value so it can not 
be queried again. 

The bits will be organized on the device in one of several configurations: (1) 
ordered list., (2)n-dimensional array, (3) network. The source of the random bits will 
be physical: a long term radioactive element (several thousands years half life time). 
By measuring the actual disintegration of atoms one measures a process which 
according to quantum mechanics is as purely random as anything conceived. At a 
given time interval (nanoseconds or smaller), the measured radioactivity may be 
above its average or below it. The former will be interpreted as one, and the latter as 
zero. The measured values will be written to the manufactured Randomats. 
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3 Methodology 

E-sticks create options for a large variety of methodologies. They fall into the 
category of trust management. Encryption in general has a place in human’s affairs 
only because we can not always trust each other. If we could, we had no reason to 
practice encryption. In particular, the e-stick offers a variety of methods to handle 
various degree of mutual trust. 

This ability to purchase an e-stick without a definite link between the purchaser 
(and the eventual user), and the particular stick he or she bought is the crucial hub of 
the retail practice of the e-stick methodology. Such anonymity is not present in any 
of the prevailing systems in use today, [6]. This aspect may turn out to be the most 
intriguing one of the e-stick methodology. To insure maximum anonymity a user 
must be able to purchase an e-stick such that his or her identity is not revealed in the 
transaction, and then he or she must be able to use it, say, on the Internet without 
being exposed through the IP address in use. The former may be arranged through 
cash point of sale in public places, the latter may be arranged via public Internet 
boutiques where strangers purchase for cash some access time, (or alternatively 
through libraries). A set of two identical e-sticks will allow two parties to 
communicate with impunity. Also, two strangers will be able to communicate through 
a third party who holds a duplicate of each e-stick. Many sources who pry for 
individual information about people are not necessarily interested in the explicit 
identity of the individual, but rather interested in his or her conduct and interest 
profde. Vendors, for instance, would wish to learn much about the taste and lifestyle 
of an individual, so that they would be able to target him or her for an array of 
products. It matters to them whether a person would rather buy a philosophy book, or 
a tennis racket, or perhaps both. Generally people are leery of such vendor’s data 
collection, alas, if that collection will be pinned on a virtual identity of a person 
(while his real identity remains protected by the e-stick), then the vendors will be 
satisfied, and so will the individual. That individual will receive targeted offerings, 
purchase such items, and all the while his or her actual identity is left hidden. 

Naturally, an individual could build himself several identities, using several e- 
sticks. That way an individual would be able to expose one certain virtual identity, 
and not another. Such may be the case when an individual would wish to 
communicate to the police a tip on a crime he or she witnessed. Using a dedicated e- 
stick, the user would submit the tip, and if it comes to it, he would be able to come 
forward, claim his reward, and do so without exposing his reading habits, or his very 
sensitive conversations with an on-line psychologist. 

The e-sticks practice will offer another important feature to its users: deniability, 
[7,8,9]. That is the ability to deny a claim that a specific encrypted message is in fact 
contained in a captured ciphertext. In practice it means that if someone claims that 
ciphertext C is an encrypted form of plaintext P, then the writer might (credibly) say, 
no, C was generated from a different plaintext, say, P’. Since the e-stick is based on 
’Say-and-Forget’ random bits, there is no way to prove the identity of the bits 
(assuming the integrity of the device), and thus one may claim any identity to suit a 
deniability claim. The deniability option is clearly available for One-Time-Pad usage, 
and similarly for Daniel, and other systems of the kind. 

A user of an e-stick will authenticate its ongoing use by continuously employing 
the e-stick. Since each e-stick has its own unique random series, such continuity will 
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authenticate the user. In case where the e-stick is stolen, the thief will not find in the 
e-stick any clue to its prior usage, and hence is not likely to know who was contacted 
using that e-stick, and what was said. 

While an e-stick user will be able to hide his actual identity, he will be able to lock 
himself relative to his virtual identity. And so will others. So that one who used 
some bits from an e- stick for a purpose will be deemed the one who used other bits 
thereof. 

Encryption sticks might contribute an option to the much discussed digital cash 
dilemma. Using an e-stick one would approach a virtual banker, provide him with an 
amount of cash and copy of the stick. The delivery of such can be made 
anonymously, even through the mail. Subsequently, the depositor will send encrypted 
orders to the banker as to where, and to whom to pay parts of the deposited cash. The 
banker will follow such orders for a fee. Even under pressure, the banker will not be 
in a position to betray the identity of the depositor since he would not know it himself 
or herself. The depositor will need to express trust in the banker to follow this 
procedure, since the banker can deny ever receiving the deposit. Alas, such bankers 
will be soon denounced. The depositor, on his part, will be able to start risking small 
sums, and when he or she develops confidence in that banker, larger sums can be 
risked. 



4 Conclusion 

This paper describes a device and a methodology for broad-based, anonymous 
distribution of communication-ready random bits. It further outlines various 
applications and usage of such off-Intemet supply of randomness. The underlying 
premise is the universal reliance on random bits, (shared by all methods of 
encryption). 
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Abstract. In this paper we use extended NCP logic to formally analyze SSL 
3.0, and show two important weak points of the protocol, which are the server’s 
not assured of the freshness and the origin of the pre-master secret when RSA is 
used for key exchange. We only give specification and analysis of one authenti- 
cation mode of SSL 3.0 in detail, but all authentication modes have the two 
weak points. Especially, the flaw of the freshness of the pre-master secret may 
result in reuse of the pre-master secret, and we properly remedy it by introduc- 
ing a nonce. 



1 Introduction 

SSL protocol [1] is a security protocol that allows client/server applications to com- 
municate over the Internet in a way that is designed to prevent eavesdropping, tam- 
pering, or message forgery. TLS 1.0 [2] is a minor modification to SSL 3.0, so here 
we only discuss SSL 3.0. 

Since SSL 3.0 requires the principals’ knowledge to both increase and decrease, we 
need a logic capable of modeling a nonmonotonic protocol. NCP(Nonmonotonic 
Cryptographic Protocols) [3] is a such kind of logic, which was put forward by Dr. 
Aviel David Rubin in 1994. In fact, Dr. Sven Dietrich of Adelphi University applied 
NCP logic to the analysis of SSL 3.0 in his PhD thesis in 1997 [4], but he failed to 
consider applying the reference rule for asymmetric keys, so resulted in not being able 
to uncover two important weak points in SSL 3.0, which are server’s not being assure 
of both the freshness and the origin of the pre-master secret when RSA is used for key 
exchange. In this paper, we mainly describe the way to reveal the two weak points and 
the way to remedy one of them. 

This paper is organized as follows. Section 2 briefly introduces NCP logic. Ele- 
ments for specifying SSL 3.0 when NCP is used are described in detail in section 3. 
We then specify one authentication mode in section 4, and analyze the protocol in 
detail in section 5, uncovering the two weak points. In section 6, solutions to the weak 
points and possible problems are given. Section 7 concludes by appealing attention to 
the two weak points. 
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2 NCP Logic 

NCP logic is the first method proposed for reasoning nonmonotonically about knowl- 
edge in cryptographic protocols. 

In NCP, there is no idealization step in specifying protocols. One specifies a proto- 
col via local and global sets of the protocol. Global sets contain the principals them- 
selves, the inference rules, the secrets present in the protocol, and possible observers 
of those secrets. Each principal has an action list and two types of local sets: the pos- 
session set for knowledge, and the belief set for beliefs. NCP logic defines actions for 
dealing with knowledge in a protocol, and inference rules for reasoning about belief 

NCP has defined some actions and inference rules. Actions such as Forget and 
Forget-secret are used along with knowledge and belief sets to reason about non- 
monotonicity of knowledge in protocols. One can add or extend actions and inference 
rules to meet his special purpose. 

In NCP, the only purpose for a nonce is to link a single challenge to a unique re- 
sponse. A nonce is required to be used only once. When a principal generates a nonce, 
N^, the formula LINK(AJ is added to his belief set. When a message is received con- 
taining N^, the LINK item is removed from the belief set, and all parts of that message 
are labeled as being fresh. A reply to the challenge can be accepted only once. 

Every message is considered to be broadcast in NCP, and Update function is intro- 
duced to maintain global knowledge by updating the observers sets of all secrets that 
have been sent on the network. 

The analysis of a protocol begins with the first action in the initiator’s action list. If 
the conditions of an inference rule are satisfied as a result of an action, the rule is 
applied to the belief set of that principal. Then comes the next action in the same ac- 
tion list. For every Send message operation, the observers sets are updated by an Up- 
date function for any secret sent across the network, and the analysis moves to the 
first unseen Receive action in the action list of the principal specified in the Send. As 
the analysis progresses, possession sets, belief sets, secret sets and observers sets are 
updated. After the analysis completes, all actions should have been marked as seen. 
Flaws can be detected at any point in the analysis. 

Dr. Rubin also extended NCP for protocols that use asymmetric keys. New actions 
and inference rules for asymmetric keys are introduced. An important observation is 
that reasoning about the origin of messages is quite different when dealing with 
asymmetric key protocols. In addition. Dr. Rubin introduced the notion of binding a 
key to a principal. 



3 Elements for Specifying SSL 3.0 



Most of the actions and inference rules we use to analyze SSL 3.0 are chosen from 
those actions and inference rules in NCP, and we also add some for special use of 
SSL. 
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3.1 Actions 

We choose 12 actions fromNCP’s 14 actions [3] except Check-freshness and Bind. 

3.2 Inference Rules 

The 6 inference rules we use are as following: 

(1) Nonce verification rule 

(Xe POSS(Q)) e BEL(P), (1) 

#(X)e BEL{P),X from Qe POSS{P) 

BEL(P) :=BEL(P) \J{Q believes #(X)} 

(2) Message meaning rule (for symmetric keys) 

{X}, from Q e POSS{P), k g POSS(P) (2) 

BEL(P) := BEL(P) U {X g P0SS(Q)} 

(3) Possible origins rule 

X G POSS(P), X contains x\, R e Obs(xi), R jlP (3) 

x,fromRePOSS(P) 

(4) Submessage origins rule(l) (for asymmetric keys) 

{X}^.e POSS(P) (4) 

X contains xi from Q, X contains xi 
X 2 fromQePOSS(P) 

(5) Submessage origins rule(2) (for asymmetric keys) 

{A}j- G POSS(P), X contains X 2 (5) 

x^fromQePOSSiP) 

(6) Linkage rule(l) (for asymmetric keys) 

#(/L) e BEL{P), k- G POSS(P) (6) 

LINK{No) e BEL(P), X contains f{Na) 

X contains x\, from Q g P0SS{P) 

BEL{P) := {BEL{P) - LINK{Na)) U {#(x.)} 

In addition, we slightly modify the Linkage rule (2) for asymmetric keys, resulting in 
the Signature rule, which is used to check the freshness of a signature. The Linkage 
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rule for symmetric keys is slightly modified, called Verify rule, to check the fresh- 
ness of the Finished message. 

(7) Signature rule (for asymmetric keys) 

#(/V ) G BEL{P), r e POSS{P) (7) 

LINK (n a) e BEL(P), X contains hash{Na) 

{X}^.fromQePOSS{P) 

BEL(F) := (BEL(P) - LINK{ No)) U {Hhash{NM 



(8) Verify rule (for symmetric keys) 

#(k)G BEL(P),kePOSS(P) (8) 

LINK(No) e BEL(P),X contains hash(Na) 

{X}, from Q G POSSjP) 

BEL{P) ■= {BEL{P)-LINK{NaW{Hhash{Na))} 



3.3 Functions 

We add 6 functions for special use of SSL 3.0. 

(1) Generate-keys(A'l,V2,A3) 

Generates session keys from the master-secret, the client’s random and the server’s 
random. 

(2) Choose-ciphersuite(X) 

Chooses a CipherSuite from the CipherSuite list offered by the client. 

(3) Match(Wl„A'2) 

Checks if the CipherSuite is included in the CipherSuite list. 

(4) Finished(/>,W1,A'2) 

Generates the Finished message by hashing the master -secret and ah sent messages. 

(5) Ske(Wl,V2,V3) 

Generates the Server Key Exchange message by hashing the client’s random, the 
server’s random and the server’s public key. 

(6) Cv(Wl,V2) 

Generates the Client Certificate Verify message by hashing the master-secret and all 
sent messages. 
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4 Specifying SSL 3.0 

We have the same assumptions about SSL 3.0 as those made by Dr. Sven Dietrich. 

- Anyone who is to be authenticated is in possession of a certificate signed by a CA. 
The public key of the CA is available to the one who performs authentication. 

- Hash functions are secure. 

- Supported cryptographic algorithms have not been broken. 

- The client and the server can succeed in choosing CipherSuite and an attacker can 
not manipulate the choosing of CipherSuite. 

In addition, we add another assumption that an attacker has no means to obtain the 
session keys or the private key other than attacking the protocol. 

SSL supports three authentication modes: authentication of both the server and the 
client, server authentication with an unauthenticated client, and total anonymity. Here 
we only give the specification of the first mode in which both parties are authenticated 
as an example. 

Some assumptions about the first mode: 

-We use RSA as an example of key exchange. 

- We assume certificates of both the client and the server are issued by a same CA. 

- We assume the server’s certificate is used only for signing, so the Serve Key Ex- 
change message must be used to carry the server’s temporary RSA public key to 
the client. 

- We assume the client’s certificate is a RSA or DSS certificate instead of a Diffie- 
Hellman certificate. 

Here are also some notes: 

- Some submessages of SSL 3.0 messages are not specified, since they are not useful 
to the analysis. 

- The order of some actions is not explicitly given in the SSL 3.0 Specification. Here 
we arrange the order of these actions according to NCP logic’s requirements with- 
out violating the SSL 3.0 Specification. 

- In order to comply to NCP work flow, we combine several messages and use one 
Send operation to send them. This has no effect on the analysis of SSL 3.0. 

GLOBAL SETS 

P = {C, 5} /*Principal set. C and S represent the client and the server respectively.*/ 

R = {RULES, Signature rule. Verify rule} /*Rule set. RULES stands for the first 6 
inference rules */ 

5 = { } /* Secret set*/ 

Observers(S) = { } /* Observers set*/ 
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TRUST 



1 0 
0 1 



/* Trust matrix */ 



LOCAL SETS 



Principal C 

POSS(C) = {kcA'\^CA, , kc'\^C , kc, ciphersuitesc , Finished(), Generate- 

keys(), Match(), Cv()} /* jl> indicates a binding of a key*/ 

BEL(C) = {#( kh ), #( kc ), #( Uc ), #( )} 

Bindings{C)^{kc\^C , /*Bindings set*/ 

BL(C)^ 

• Generate-Nonce( A^c ) 

Concat( TVc , ciphersuites ^ ) 

Send(5, { Nc , ciphersuites ^ }) 

Update({ Nc , ciphersuites ^ }) 

Receive/^”, { Ns , cipher^ , {ks},-^^ ,{k*is, {Ske{Nc,Ns,k*Ts)}^-, }, CertReq, HelloDone}) 
Split({ Ns , cipher, , ,{ kis , {Ske{Nc,Ns,kTs))ts }> CertReq, HelloDone}) 

Apply(Match, { ciphersuites (. , cipher, }) 

Apply-asymkey( {k*,},.^ , kD ) 

Apply-asymkey( {Ske(Nc,Ns,k)s)}r, > k } ) 

Generate-Secret/RMS) 

Apply-asymkey/RMS”, krs) 

Generate-Secret(/W5) 

F orget- S ecret(R/W5) 

Apply(Generate-keys, {MS, Nc , Ns }) 

Apply(Cv, [MS, SentM}) 

Apply-asymkey( Cv({M5, SentM}), kc) 

Apply(Finished, [Client, MS, Sent-Messages}) 

Encrypt( Finished c , kcs ) 
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Send(5, Concat( {kc},^, , , {Cv(MS,SentM)]^.^ , ChgCipher, {Finishedc},^ )) 

Update({ {kVi^-^ , {PMS}^, , {Cv(M5',&«tM)}^^ , ChgCipher, {Finished }) 
ReceiveC^”, [ChgCipher, [Finished s},,, }) 

Split({ C/ig-Cz^Aer, [Finished s)t,c }) 

Decrypt( [Finished , ksc ) 

Principal S 

POSS(S) = { kcA iP CA , [k*s}^-^^ , ks\i>S ,ks, FinishedO, Generate-keys(), 
Choose-ciphersuite(), Ske()} 

BEL(S) = {#( CcA ), #( ks ), #( Cs ), #( 

Bindings(S) ={k*s\^ S ,k*cA\^CA) 

BL(S)^ 

Receive(C, { Nc , ciphersuites^, }) 

Sp\it{{ Nc ,ciphersuites^ }) 

Apply(Choose-ciphersuite(), { ciphersuites ^ }) 

Generate-Nonce( Ns ) 

Generate-key-pair( kis , krs ) /* the server’s temporary key pair */ 

Apply(Ske, Concat( Nc,Ns , kh )) 

Apply-asymkey(5'ke({ Nc,Ns , kis }), ks ) 

Concat( Ns , cipher, , [ki}^-^^ ,{kis, [Ske(Nc,Ns,kis)}^^, }, CertReq, HelloDone) 
Send(C, { Ns , cipher, , [ki]^-^ , {kis, [Ske{Nc,Ns,kis)}^-, }, CertReq, HelloDone }) 
Update({ Ns , cipher, , ,{kis, [Ske{Nc,Ns,kis))t-, }> CertReq, HelloDone } } 
Receive(C, { [kH^.^^ , , [Cv(MS,SentM)}^.^ , ChgCipher, [Finished }) 

Split{{ [kVircA ’ ’ [Cv{MS,SentM)}i^.^ , ChgCipher, [Finished }) 

Apply-asymkey( [kd,-^ , kd ) 

Apply-asymkey( [PMS}^a , ks ) 

Generate-Secret(ALS) 
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F orget-Secret(PM5) 

Apply(Generate-keys, {MS, Nc , Ns }) 
Apply-asymkey( {Cv(MS',6’e«iM)}^^ , kc ) 
Decrypt( [Finished c]kcs > kcs ) 

Apply(Finished, [Server, MS, Sent-Messages}) 
Encrypt( Finished s , ksc ) 

Send(C, [ChgCipher, [Finished }) 
\]pdate{{ChgCipher, [Finished }) 



5 The Analysis of SSL 3.0 

When the specification is finished, the analysis begins with the first action in C’s be- 
havior list. The first four actions in BL(C) are executed, resulting in new members of 
the sets POSS(C) and BEL (C). Also, the Update action causes Observers^ Nc ) = W 
(fV represents all the principals). So far, no inference rules can be applied. 

POSS(Q = [kcA\^CA , ih c , kc, ciphersuitesc , Nc , Finished(), Generate- 

keys(), Match(), Cv()} 

BEL(C) = {#( tcA ), #( kc ), #( kc ), #( {Gc},,, ), LINK( Nc )} 

BL(C)^ 

o Generate-Nonce( Nc ) 
o Concat( Nc , ciphersuites ^ ) 
o Send(iS', { Nc , ciphersuites ^ }) 
o Update({ Nc , ciphersuites^ }) 

After the Update action, the next action to be executed is in 5”s behavior list because 
the Send action specifies S. 

• Receive(C, { Nc , ciphersuites^. }) 

The first ten actions in BL(S) are executed. There are still no relevant inference rules. 
The new values of 5’s local sets are: 
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POSS(S) = {kal^CA, Nc from C, ciphersuitesc from C, Ns, 

kh'frS,krs, Ske{{ Nc , Ns , krs}), { Ns , cipher^, {ks}/,-^, { krs ,{Ske{Nc,Ns,kTs)}i,-^}, 
CertReq, HelloDone), Finished(), Generate-keys(), Choose-ciphersuite(), Ske()} 
BEL{S) = {frEcfr, #(ks), nts), LINK(a.), #(fe), #(kfr), #( 

Ske{{ Nc , Ns , krs }))} 

Bindings{S) Lj jl> 5 , il> C4 , Ljs i I* *5 } 

BL(S)^ 

o Receive(C, { Nc , ciphersuites^ }) 



o Update({ Ns , cipher, , , { kis , {Ske(Nc,Ns,kTs)}ti }> CertReq, HelloDone ) ) 

The next action is in C’s BL. 

• Receive(5, { Ns , cipher, , ,{kis, {Ske(Nc,Ns,kTs))t^, }, CertReq, HelloDone]) 
Then the next three actions are executed. 

o Split({ Ns , cipher, , {k]s}^.^^ ,{k]s, {Ske{Nc,Ns,k*Ts)]ts }> CertReq, HelloDone)) 
o A^^\y(M.dXdi\, { ciphersuites ^ , cipher , }) 
o Apply-asymkey( {ks\^-^^ , kcA ) 

Terms, {kli}^-^,k*Ts , {Ske{Nc,Ns,k)s)],,-, and G , are added to P055(C). is added 

to Bindings(C). C trusts S, causing TRUST[1,2] = 1. The next action to be executed 
is: 

• Apply-asymkey( {Ske(Nc,Ns,k)s)}t-, , k] ) 

At this point, the conditions for the Submessage origin rule (2) for asymmetric keys 
are satisfied, so Ske{{ Nc ,Ns , kh }) from S is added to POSS(C). Also, the conditions 
for the Signature rule are satisfied. Once the rule is applied, the freshness of iS”s sig- 
nature on its public key, #(Ske({ Nc , Ns ,kis})), is added to BEL(C), and the 
L1NK( Nc ) formula is removed from BEL(C). Then C executes the next three actions: 

o Generate- Secret(PM5) 

o Apply-asymkey(PM5, krs) 

o Generate- Secret(MS) 
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Terms, PMS, MS and {PMS}^^ , are added to POSS(C). PMS and MS are also added to 
the secret set S. Terms, #(PMS) and #{MS), are added to BEL{C). The next action is: 

• Forget-Secret(PMS) 

This action will cause PMS to be removed from POSS(C) and #(PMS) to be removed 
from BEL(C). Then the next seven actions are executed. 

o Apply(Generate-keys, {MS, Nc , Ns }) 



o Update({ , {PMS },, , {Cv(MS,SentM )},.^, , ChgCipher, {Finishedc}^^ }) 

Terms, Gc, kcs , Cv(MS,SentM) , {Cv(MS,SentM)},.^, Finishedc and {Finished c} ’ 
are added to POSS(C). And ksc and kcs are also added to the secret set S. Terms, 
#( ksc ) and #( kcs ), are added to BEL(C). The Update action adds S to Observ- 
ers(PMS). The next action to be executed is in 5’s behavior list. 

• Receive(C, { {ki },^^^ , {PMS},, , {Cv(MS,SentM)},.^ , ChgCipher, {Finishedc},,,, }) 

The next two actions are executed. 

o Split({ {Cc},.^^ , {PMS},, , {Cv(MS,SentM)},.^ , ChgCipher, {Finishedc},,, }) 
o Apply-asymkey( {kc},-,^ , kcA ) 

Terms, {kc},-„, {PMS},,, {Cv{MS,SentM)},.^ , {Finishedc},,, and k*c , are added to 
POSS(S). kc\^ C is added to Bindings(S). S trusts C, causing TRUST[2,1] = 1. The 
next action to be executed is: 

• Apply-asymkey( {PMS},, , ks ) 

After this action is executed, PMS is added to POSS(S). However, the Linkage rule 
(1) for asymmetric keys does not apply because there is no LINK statement in 
BEL(S). Thus, S can not conclude that PMS is fresh. Also, S cannot conclude that PMS 
comes from the client, since the Submessage origin rule (1) for asymmetric keys 
does not apply because there is no submessage other than PMS in {PMS},, coming 

from the client. PMS"s unfreshness will imply the unfreshness of MS, kcs and ksc ■ In 
fact, when S receives {Finishedc},,, , it cannot apply the Verify rule because the con- 
dition is that kcs is fresh. For the remainder of the protocol, S can never conclude that 
anything received under kcs is fresh. 

As for the authentication mode in which only the server is authenticated, the two 
problems exist as long as RSA is used for key exchange, and the deduction of reveal- 
ing them is almost the same as the above. The two weak points still exist in the com- 
pletely anonymous mode with RSA key exchange, but the completely anonymous 
mode is inherently vulnerable to the man-in-the-middle attack, in which the attacker 
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can impersonate both the client and the server to get the pre-master secret. Thus, com- 
paratively the two weak points are less threatening in this mode. 

When Diffie-Hellman is used for key agreement, there will no such two problems. 
But an anonymous Diffie-Hellman session is also inherently vulnerable to the man-in- 
the-middle attack. 

The problem of the freshness of the pre-master secret may have bad result: com- 
promise of the pre-master secret can cause reuse of it. The attack explored by Dr. 
Daniel Bleichenbacher [5], which takes advantage of the weakness of RSA PKCS#1 
encoding method, can recover the pre-master secret of the attacked session. Then the 
attacker, taking advantage of the fact that the server cannot be assured of the freshness 
of the pre-master secret, uses the old to construct the Client Key Exchange 

message in a new session with the same server, thus resulting in reuse of the old pre- 
master secret. This weakness in SSL 3.0 is much similar to the one in the Needham 
and Schroeder Protocol (with shared keys) [6], discovered by Denning and Sacco [7], 
which is that principal B cannot conclude that the shared key with principal A, Kab , is 
fresh. The only difference is in that PMS is encrypted by a public key in SSL 3.0 while 
Kab is encrypted by a symmetric key in the Needham and Schroeder Protocol. 



6 Solutions to the Weak Points 

It is relatively easier to repair the flaw of the freshness of the pre-master secret. Add a 
nonce. Ns' , to the Server Hello Done message. Ns' is used in the Client Key Exchange 
message to assure the server of the freshness of the pre-master secret. The structure of 
the Client Key Exchange message is now {Ns-,PMS}^t . The length of Ns' must be 

carefully decided, since SSL 3.0 is a protocol of actual implementation. 

It is not easy to remedy the flaw of the origin of the pre-master secret without much 
modification to the basic structure of the protocol. Only a submessage from the client, 
say Ns' , can make the server believe that the pre-master secret is really from the client 
according to NCP’s Submessage origins rule(l) for asymmetric keys, and this fact 
has to introduce encryption with the client’s public key to ensure that only the client 
can see the submessage. All these will lead to much modification to the message 
structures, introduction of new messages and reordering of all messages. Besides, 
RSA’s sharing of the identical structure of the protocol with Diffie-Hellman key ex- 
change must be taken into account. 



7 Conclusion 

We have applied extended NCP logic to the analysis of SSL 3.0, and shown two weak 
points of the protocol when RSA is used for key exchange. These two problems exist 
in any case in which the pre-master secret is transmitted to the server encrypted by the 
server’s RSA public key. 
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It is from the viewpoint of message structure that SSL 3.0 has these two weak 
points, which are discovered by applying formal analyzing method to the protocol. 
The Client Certificate Verify message can only prove the origin of the pre-master- 
secret and the fact that the client knows the pre-master-secret, but cannot prove the 
freshness of the pre-master-secret. On the other hand, it is only when the client is 
authenticated and its certificate is only used for signing that the Client Certificate 
Verify message is used. Thus, the two weak points are really worthy of attention. 
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Abstract. Transaction security is commonly seen as one of the key fac- 
tors influencing the success of Mobile Commerce. In this paper simula- 
tion-based performance measurements of the Wireless Transport Layer 
Security (WTLS) protocol are presented. Its impact on an exemplary 
m-commerce transaction is discussed. 



1 Introduction 

Although saturation can be observed in Europe, the market for mobile telephony 
still faces an overwhelming growth in most of the world’s regions. Globally, 
240 million^ people are predicted to use their mobile phones for wireless data 
exchange by the end of 2004 — up from 26 million in 1999. As most of this data 
exchange is predicted to be business-centred, a considerable amount of users all 
over the world will be engaged in Mobile Commerce (M-Commerce). 

The Wireless Application Protocol (WAP) [1] specifies an application frame- 
work and network protocols to foster convergence of the Internet and wireless 
networks like CDPD or GSM/GPRS (Fig. 1). Within the context of m-commerce 
the Mobile electronic Transaction (MeT) Initiative has been formed by the lead- 
ing mobile manufacturers to define common and consistent usage scenarios, e. g. , 
mobile payment or ticketing [2] . Rather than developing proprietary solutions to 
security problems, MeT embraces and extends existing industry standards and 
technologies — especially WAP. Therefore the performance of the employed WAP 
security mechanisms — WTLS and WMLScript signText — has a major impact on 
the overall transaction duration. 

In [3] several alternatives for establishing secure channels to mobile devices 
have been compared whereby the influence of different key lengths and key ex- 
change protocols has not been examined extensively. This work contributes de- 
tailed performance measurements of WTLS acquired from our WAP simulation 
platform. 

After giving an overview on WTLS we briefly describe the simulator and 
present the measurement results. We then discuss the impact WAP’s security 
mechanisms impose on the overall duration of m-commerce transactions by ex- 
emplarily investigating a MeT payment using a SET Wallet Server. 

^ according to Allied Business Intelligence 
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Fig. 1. Typical setup for accessing an Internet server via WAP 



2 Wireless Transport Layer Security 

The WTLS protocol is based upon the industry-standard Transport Layer Secu- 
rity (TLS) and offers various cryptographic algorithms to provide confidentiality, 
integrity, and authentication over the air interface. Several symmetric algorithms 
like DES, 3DES, RC5, or IDEA can be employed for en- and decryption whereas 
a keyed HMAC hash in combination with MD5 or SHA-1 is used for ensuring 
message authentication. RSA and ECDH are suggested for anonymous key ex- 
change. In addition RSA-signing and ECDSA can be used for authenticated key 
exchange. It has to be noted that WTLS is unable to ensure nonrepudiation. 

Unlike in RSA handshakes a provision is made for an optimised variant of 
the ECDHTICDSA and ECDH handshakes. In this case the amount of data to 
be transferred across the air interface can be reduced since the server is able to 
retrieve the client’s certificate from a certificate distribution service or from its 
own sources rather than obtaining it from the client. The flows of messages ex- 
changed within full and optimised handshakes are depicted in Fig. 2. To resume 
a previous secure session and reuse negotiated security parameters, an abbre- 
viated handshake can be performed. Further details concerning WTLS can be 
found in [1]. 



Client 
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Server 



ClientHello 




ClientHello 


ServerHello, Certificate*, 




ServerHello, Certificate, 


ServerKeyExchange* , 
CertificateRequest* , 
ServerHelloDone 
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Application Data 
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Application Data 






Full Handshake 
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‘ Indicates optional or situation-dependent messages that are not always sent 



Fig. 2. Message flow for WTLS handshakes 
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3 Performance Evaluation 

Our simulation platform is a prototypical, standard-conformant implementation 
of the relevant protocols WTP, WTLS, WDP, and IP. It is formally specified in 
SDL^ and coded using C/C-l— 1-. Most of the implementations concerning cryp- 
tographic computations originate from the free C-|— I- class library Crypto-|— I- 
4.P. All following measurements are the results of tests carried out on a SUN 
Enterprise server equipped with 1664 Mbyte RAM and using one single dedicated 
processor of 400 MHz clock frequency. 



3.1 Throughput of WTLS 

The WTLS throughput results from the processing times needed for the gener- 
ation of record IV, the calculation and verification of keyed MAC, and the en- 
and decryption respectively. Hence the values given in Table 1 do not correspond 
with the ones resulting from investigations on the pure cipher throughput as — for 
example — done in [4]. WTLS user data ranging from 256 up to 8192 bytes have 
been used and the measured throughputs have been averaged. Note that only 
user data has been taken into account for calculating the throughput whilst the 
encrypted data additionally includes the MAC and padding. All ciphers operate 
in CBC mode and a key length of 128 bits has been chosen for AES, Serpent, 
Twofish, and Mars. 



Table 1. Throughput of the WTLS-layer in Mbit/s 



keyed 

MAC 


DES 


3DES 


RC5 


IDEA 


AES 


Serpent 


Twofish 


Mars 


MD5 (enc) 


5.81 


2.38 


9.01 


6.52 


15.10 


3.32 


5.63 


5.82 


MD5 (dec) 


5.76 


2.37 


8.70 


5.75 


14.76 


3.13 


5.52 


5.69 


SHA-1 (enc) 


5.14 


2.26 


7.45 


5.61 


10.56 


2.96 


4.78 


4.97 


SHA-1 (dec) 


5.13 


2.26 


7.40 


5.15 


11.36 


2.92 


4.89 


5.08 



Table 1 shows that AES (Rijndael) in combination with MD5 provides the 
highest performance. The faster the investigated cipher algorithm, the more 
weight lies in the selection of the hashing algorithm. However we observe that — 
contrary to our expectation — the encryption throughput of AES is higher than 
its decryption throughput when SHA-1 is employed. Even after repeated sim- 
ulations on different machines and thorough analysis this behaviour remained 
inexplicable. 

^ Specification and Description Language 

® Please refer to http://www.eskimo.com/~weidai/cryptlib.html for further infor- 
mation. 
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3.2 Handshake 

In contrast to the WTLS throughput, which — even when implemented within a 
constrained environment — is higher than the underlying network’s throughput, 
attention has to be paid to the duration of a handshake. The overall durations 
of several handshake procedures have been measured while varying the effective 
mean throughput of the underlying bearer, which is determined by numerous 
factors such as available radio resources, network latency and channel quality. 
The measurement results of four types of full handshakes and one optimised 
handshake are shown in Fig. 3. The key lengths of RSA and ECDH have been set 
to 1024 bits and 160 bits respectively. The time needed for the server retrieving 
a certificate in the optimised variant has been assumed to be 500 ms. 

Interestingly, the impact of the various cryptographic methods becomes neg- 
ligible as the network throughput decreases, and the amount of data^ transferred 
during a single handshake (Table 2) gets more important. 




Fig. 3. Duration of examined WTLS handshake procedures 



3.3 Impact on an M-commerce Transaction 

The MeT Initiative has specified a usage scenario for mobile payments using a 
SET Wallet Server wherein nonrepudiation is granted by application level digital 

* includes WDP- and IP-overhead 
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Table 2. Size of message groups exchanged during a handshake 





RSA 


ECDH.ECDSA 


RSA_anon 


ECDH_ECDSA(opt) 


ECDH_anon 


msg. 


263 bytes 


263 bytes 


263 bytes 


263 bytes 


263 bytes 


2"'^ msg. 


485 bytes 


287 bytes 


210 bytes 


338 bytes 


98 bytes 


3'^'' msg. 


780 bytes 


310 bytes 


221 bytes 


154 bytes 


115 bytes 


4*** msg. 


116 bytes 


116 bytes 


116 bytes 


- 


116 bytes 



signatures (WMLScript signText) and SET messages are exchanged between the 
server and merchants only. Assuming that the WAP gateway and the SET Wallet 
Server are both hosted by the corresponding credit institute, a secured channel 
between mobile devices and the server can be established by means of WTLS. 

Measurements carried out with ECDSA-signing have resulted in an increase 
of the transaction duration by 0.11s if no certificate has been included in the 
signed string and 0.35 s in case the certificate has been appended. With RSA- 
signing, the duration increases by 1.73 s and 2.50 s respectively. Given that most 
of the time is being spent in the SET Wallet Server itself [5], the slight increase 
is acceptable although these values are not taking a handshake, which eventually 
is to be performed, into account. 

4 Conclusions 

According to our performance evaluation it is obvious that, as the WTLS 
throughput is higher than the expected one of the underlying bearers, the im- 
pact of symmetric en- and deciphering becomes negligible. However, costs for the 
completion of WTLS handshakes have still to be taken into consideration. As ex- 
emplarily shown in 3.3, in case a full handshake is to be carried out prior to each 
transaction, a significant increase in transaction duration is to be expected — 
depending on the chosen key exchange suite and the available channel quality. 
Based on this fact, the decision whether to execute a full or an abbreviated 
handshake should be deliberated. 
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Abstract. With the ubiquitous deployment of large scale networks, 
more and more complex human interactions are supported by computer 
applications. This poses new challenges on the expressiveness of security 
policy design systems, often requiring the use of new security paradigms. 
In this paper we identify a restricted type of obligation which is useful 
to express new security policies. This type of obligation includes the fol- 
lowing general situations: i) when two or more actions oblige each other, 
i.e. if one action is executed the others must also be executed and recip- 
rocally, and ii) when an action obliges another and the obligatory action 
is causally dependent on the first action. 



1 Introduction 

The growing number of Internet users and services raises constantly new chal- 
lenges for defining and ensuring adequate security policies. Most policies im- 
plement solely access control barriers, based on the concepts of permission or 
prohibition, but the current expansion of electronic business will stress, in a near 
future, the needs for more sophisticated security policies. In particular, we be- 
lieve that the concept of obligation will have an increasing importance for the 
expressiveness of such policies. The need for ensuring obligation has already been 
recognized by several authors [1,2,3] and is illustrated by the following examples. 

Consider that Alice browses through a site where she acquires several goods, 
when she leaves the site she is obliged to pay for the goods she acquired, otherwise 
the goods are not bought. Usually this policy must be enforced within the site’s 
code, because the security service cannot enforce this kind of policy. Another 
illustrating example is when Alice registers herself, via a web server, as a student 
of Online University. Once she has done that, she is obliged to register herself as 
a student of, at least, a discipline chosen from a set of available disciplines. On 
the other hand, Alice could first register herself in a discipline; in this case she 
is then obliged to register as a student of the Online University. 

These examples show that there is a clear need for expressing an application- 
specific obligation in a flexible way; and enforcing obligations with a security 
monitor has obvious advantages: it is language and application independent, 
and can be found in a large number of environments (virtual machines, operating 
systems, etc.). 
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2 Enforceable Obligations 



To act upon security policies, a security service must know when someone at- 
tempts to violate those policies and what to do when that happens. On most 
security services, the attempts to violate rules based on permission and prohi- 
bition concepts are detected when an event requesting an action occurs and, 
in that case, the action requested is denied. The difficulty with rules based on 
obligation is that the time at which a violation attempt occurs and the action 
to perform when that happens are not so easy to instantiate on a particular in- 
stant and action, respectively. First, because a generic obligation does not need 
to have a deadline and second because there is not a generic action (equal for 
every situation) to perform in case of violation attempt. 

Fortunately, obligation rules are seldom generic. Often what a security man- 
ager wants to express is “Conditional Obligations”, in which obligations are 
triggered by pre-condition events: “C/7 must do O if U2 has done T”. While 
with the generic type of obligation a system is in an unsafe^ state until the obli- 
gation has been fulfilled, with the conditional obligation a system has two safe 
states, one before the triggering event (T) and one after the obligation (O) is 
fulfilled. Thus, on the impossibility of fulfilling the obligation the system may 
always return to the safe state before the activating event, i.e. undo T. However 
even conditional obligations cannot be enforced solely by a standard security 
monitor. Using simple logic^ it is possible to rewrite the conditional obligation 
expression into an expression with a dependency on a future event: “U2 cannot 
do T if U1 will no do O” . 

Schneider [4] states that with a monitor it is not possible to enforce a se- 
curity policy in which the acceptability of an event depends on possible future 
events. Informally, his argument is quite simple: given the executions (sequence 
of events) t and r', in which t is the prefix of some execution t' , it is not possible 
to allow T on the basis that one of its extensions r' is allowed by the security 
policy, because the system could stop before r', and the system would have failed 
to enforce the policy. 

The key issue that differentiates our work from Schneider’s is the underlying 
model of execution. While to Schneider a system evolves through units of execu- 
tion controlled by the security manager, which are independent from each other, 
to us those units may be organized in atomic sequences, thus depending on each 
other. By atomic we mean, in the sense of transactions’ ACID properties, either 
all happens or none happens. Inside these atomic sequences of execution it is 
possible to define security policies with dependencies on future actions, because 
it is not possible for a system to stop execution leaving the sequence incomplete. 

There are several ways to implement transactions [5], namely by keeping an 
undo-log with the information needed to reset the system to the initial state 
in case of failure, or by defining compensating actions for those actions that 

^ Unsafe in the sense that the security policy has not been completely enforced until 
then. 

^ O^T = ~,T 
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cannot be undone but can be compensated. However, there are some actions that 
cannot be undone or compensated, e.g. sending a document to a printer. These 
actions are called real actions on transaction management systems [5] and are 
already known to require special treatment by those systems in order to achieve 
atomicity. Implementing security obligations within transactions increases the 
number of real actions, because these must include actions that change human 
knowledge state (e.g. showing some text on the screen), which are not dealt by 
most transactional management systems. 



3 Implementing Enforceable Obligations 



We have implemented the obligation concept within our access control frame- 
work. This framework is composed by a security policy language (SPL) and its 
compiler [6]. SPL is a security language designed to express policies that aim at 
deciding about the acceptability of events. 

An SPL policy is a structure composed of sets and rules, whose purpose 
is to express simple concepts like “separation of duty”, “information flow”, or 
“general access control” . Sets contain the entities used by the policies to decide on 
events acceptability. A rule is a function of events, and may assume three values: 
“allow” , “deny” and “notapply” . Its purpose is to decide on the acceptability of 
the current event. A rule can be simple or composed. A simple rule is a tuple of 
two logical expressions. The first logical expression decides on the applicability 
of the rule, and the second decides on the acceptability of the event. Each policy 
has one special rule called the “query rule”, which is identified by a question 
mark before the name, whose purpose is to define the policy behavior. 

A simple policy stating that documents internal to the organization defining 
the policy cannot be sent to someone outside the organization, can easily be 
expressed in SPL: 



policy Private ( user set OrganizationUsers 
object set InternalDocs : 

?Private : 

ce. action = "SendEmail" & ce. target IN 
InternalDocs 

:: ce .parameter [1] IN OrganizationUsers 



{ 

// Policy data 
/ / Rule name . 

// Applicability exp. 

// Acceptability exp.} 



The rule uses the special variable “ce” to access the current event properties. 
The applicability expression of the rule states that the policy is defined only 
for events whose targets are documents internal to the organization and whose 
action is to send an Email. The acceptability expression states that for those 
events that satisfy the applicability expression the only events allowed are the 
ones that send the Email to a user inside the organization. 

Given the future-dependent nature of obligation-based policies, they are 
expressed in SPL by quantifying a variable over the special abstract set 
FutureEvents, which encompasses all the events they are to be performed after 
the current event. Figure 1 shows an example of an information flow policy which 
uses obligation to force applications to register the information flow originated 
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policy InfoFlow () { 

interface ReadFlowActions, 
interface WriteFlow Actions; 
collection ProtObjects; 

TlnfoFlow: 

EXISTS fe IN FutureEvents { 
FORALL pe IN PastEvents { 
FORALL g IN pe.target. groups { 
ce. action IN WriteFlow Actions & 
ce.task = pe.task & 
pe.target IN ProtObjects & 
pe. action IN ReadFlowActions & 
:: ce. target IN g } } }; } 



(a) 



policy HistorylnfoFlow () { 
interface ReadFlowActions, 

WriteFlow Actions; 
collection ProtObjects; 

?InfoFlow: 

FORALL te IN PastEvents { // (1) 

EXISTS fe IN PastEvents { 

FORALL pe IN PastEvents { 
FORALL g IN pe.target. groups { 
ce.action.name = ’’commit” & // (2) 
ce.transjd = te.transjd & // (3) 

te.time < fe.time & // (4) 

te.time > pe.time & // (5) 

te. action IN WriteFlowActions & 
pe.target IN ProtObjects & 
pe. action IN ReadFlowActions & 
pe.task = te.task 
:: te.target IN g } } } }; } 

(b) 



Fig. 1. (a) An information flow policy, (b) The transformation into an history-based 
policy 



by them into SPL rules. This policy is not a strict information flow policy in the 
sense that it cannot handle implicit flows, as defined in Denning [7]. However, 
in some situations [8] the information leak resulting from implicit flows does not 
pose a serious security risk, either because the information on variables deter- 
mining the sequence of execution is public or because it is not possible to infer 
the sequence of executions from the results of that sequence. For these situations 
it is possible to define information flow policies enforceable by event monitors, 
because the regulation of explicit information flow, from storage to storage, can 
be performed with just the knowledge on past events properties. 

As explained in Sect. 2, the problem of enforcing obligation-based security 
policies is reduced to allowing or not the event that instructs the transaction 
monitor to commit a transaction, whether or not every obligation was fulfilled 
at the time of that event. A security policy that allows or denies an event (the 
commit event) depending on whether or not some events were executed (the 
obligations) is a history-based policy. In [6], we have shown that history-based 
policies can be efficiently implemented using special tuned logs for each policy, 
thus obligation-based can also be implemented efficiently in the same way. 

The transformation from the obligation-based policy to the history-based 
policy can be achieved in two steps. The first step, called “aging”, consists of 
replacing references to events by older references: (i) References to the current 
event are replaced by references to a past event called “trigger-event” (line (1) 
of Fig. lb) ; (ii) References to past events are replaced by references to other 
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past events with an additional constraint specifying their occurrence before the 
trigger-event (line (5) of Fig. lb); (iii) References to future events are replaced 
by references to past events with the additional constraint of occurring after the 
trigger-event (line (4) of Fig. lb). The second step consists of inserting in this 
policy an explicit reference to the event that requests the transaction commit 
(lines (2) and (3) of Fig. lb). 

Due to space limitations we defer the details on performance of history- 
based policies to [6]. Nevertheless, the important observation is that, on all tests 
performed the delay on the commit-event caused by the information flow policy 
was in the worst case less than 1ms, which is negligible compared to the actual 
commit time^. 

4 Conclusion 

We have identified a restricted type of obligation which is simultaneously useful 
to express the security policies of large organizations and can be enforceable by 
security monitors. This type of obligation includes the following generic situa- 
tions: i) when the two actions involved in a conditional obligation oblige each 
other, and ii) when the obligatory action is causally dependent on its trigger 
action. Our approach consists on using the transaction concept to delay the ac- 
tual security monitoring until the commit time; thus, avoiding the problem of 
future dependency inherent to any obligation policy. We have developed a se- 
curity language and a compiler encompassing the obligation paradigm, and the 
performance results show that it can be efficiently implemented. 
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Abstract. Finite field arithmetic is becoming increasingly important in 
today’s computer systems, particularly for implementing cryptographic 
operations. Among various arithmetic operations, finite field multiplica- 
tion is of particular interest since it is a major building block for elliptic 
curve cryptosystems. In this paper, we present new techniques for ef- 
ficient software implementation of binary field multiplication in normal 
basis. Our techniques are more efficient in terms of both speed and mem- 
ory compared with alternative approaches. 



1 Introduction 

Finite field arithmetic is becoming increasingly important in today’s computer 
systems, particularly for implementing cryptographic operations. Among the 
more common finite fields in cryptography are odd-characteristic finite fields of 
degree 1 and even-characteristic finite fields of degree greater than 1. The latter is 
conventionally known as GF’(2™) arithmetic or binary field arithmetic. GF(2"‘) 
arithmetic is further classified according to the choice of basis for representing 
elements of the finite field; two common choices are polynomial basis and normal 
basis. 

Fast implementation techniques for GF(2’") arithmetic have been studied in- 
tensively in the past twenty years. Among various arithmetic operations, GF(2’”) 
multiplication has attracted most of the attention since it is a major building 
block for implementing elliptic curve cryptosystems. Depending on the choice of 
basis, the mathematical formula for a GF(2’”) multiplication can be quite dif- 
ferent, thus making major differences in practical implementation. Currently, it 
seems that normal basis representation (especially optimal normal basis) offers 
the best performance in hardware [9,10,11], while in software polynomial basis 
representation is more efficient [2,3,8]. 

For interoperability, it is desirable to support both types of basis in soft- 
ware, which can be done either by implementing arithmetic in both bases or 
by implementing one basis together with basis conversion algorithms. Various 



S. Qing, T. Okamoto, and J. Zhou (Eds.): ICICS 2001, LNCS 2229, pp. 177-188, 2001. 
(c) Springer- Verlag Berlin Heidelberg 2001 




178 



P. Ning and Y.L. Yin 



basis conversion techniques [4,5,6] have been proposed with performance trade- 
offs. Because of the overhead of basis conversion, supporting both bases directly 
seems preferable than basis conversion for certain applications. 

There has not been much study related to implementing normal basis multi- 
plication in software, in contrast with the amount of work related to polynomial 
basis. The main difficulties for fast normal basis multiplication in software are 
due to the particular computation process: First, when multiplying two elements 
represented in normal basis according to the standard formula, the coefficients of 
their product need to be computed one bit at a time. Second, the computation 
of a given bit involves a series of “partial sums” which need to be computed 
sequentially in software, while this is easily parallelized in hardware. 

In this paper, we present new techniques for efficient software implementation 
of normal basis multiplication, part of which were originally described in a patent 
application [13]. At the core of our method are a mathematical transformation 
and a novel way of doing precomputation, which significantly reduce both time 
and memory complexity. 

To study the effectiveness of our techniques, we compare our approach with 
the best alternative one^ developed by Rosing [14]. Our approach is much more 
efficient than his method in terms of both speed and memory. Speed wise, anal- 
ysis and experimental results show that there is a significant speed up using 
our new techniques. Memory wise, the number of bytes stored is only 0{m) 
compared with 0{m?') in [14]. This is especially useful for memory constraint 
devices - environments that elliptic curve cryptosystems seem more attractive 
than conventional public key cryptosystems such as RSA. Our techniques for 
field multiplication can also be combined with elliptic curve arithmetic to pro- 
vide further speed up. 

The rest of the paper is organized as follows. In Section 2, we provide some 
mathematical background, and in Section 3, we review the related work on nor- 
mal basis multiplication for both software and hardware. In Section 4, we present 
our new multiplication techniques, and in Section 5, we summarize experimental 
results. Some further discussions on related issues are included in Section 6, and 
concluding remarks are given in Section 7. 



2 Mathematical Background 

In this section, we first define some basic notations for finite field GF{2™) and 
its representation in normal basis. Then, we describe the multiplication formulas 
for both general normal basis and optimal normal basis. 

Since we are considering software implementation, we will use w to denote 
the word size throughout the paper. For simplicity, we assume that w\m. 

^ The recent result in [15] has better performance than the Rosing’s method for certain 
choices of m. However, our approach remains the fastest among the known methods. 
Please see section 3. 
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2.1 Finite Field GF{2^) and Normal Basis Representation 

The finite field GF{2^) is the set of all 2™ possible 0-1 strings of length m, with 
certain rules for field addition and multiplication. The finite field GF(2'") have 
various basis representations including normal basis representation. 

A binary polynomial is a polynomial with coefficients in GF(2). A binary 
polynomial is irreducible if it is not the product of two binary polynomials of 
smaller degrees. For simplicity, we will refer to such a polynomial an irreducible 
polynomial. Irreducible polynomials exist for every degree m and can be found 
efficiently. 

Let g{x) be an irreducible polynomial of degree to. If /3 is a root of g{x), then 
the TO distinct roots of g{x) in GF{2^) is given by i? = {(3 , (3'^ , (3'^'^ , ^). If 

the elements of B are linearly independent, then g{x) is called a normal polyno- 
mial and B is called a normal basis for GF(2’") over GF{2). Normal polynomials 
exist for every degree to. For certain choices of to, x'^ + x'^~^ +x'^~‘^ + - • • -|-x-|- 1 
is a normal polynomial. Given any element a € GF(2™), one can write 

m— 1 

a = ai0^ , where at € {0, 1}. 

i=0 



2.2 Multiplication with General Normal Basis 

In normal basis, field multiplication is usually carried out using a multiplication 
matrix, which is an m-by-TO matrix M with each entry Mij € GF(2). Details 
on how to compute matrix M from g(x) can be found in [4]. The complexity of 
M, denoted by G^, is defined to be the number I’s in M. It is well known that 
Gm > 2 to — 1 . 

Let a = (ao, ai, ..., Om-i) and b = {bo,bi, be two elements repre- 

sented in normal basis, and let c = (cq, ci, ..., Cm-i) be their product. Then each 
coefficient Ck is computed as follows^. 

Ofc = (Ofc, ■•■5 Af {bkj l) ■ (1) 

In a straightforward software implementation of formula (1), a, b, and each 
column of M are all stored in m/w computer words. A matrix- vector multi- 
plication Mb'^ can be carried out with {m/2){m/w) word operations on aver- 
age, and hence the total number of word operations for computing c is about 
m{m/2){m/w) = vr? j2w. Note that the computation time is independent of the 
complexity Gm- 

If we spell out formula (1), we obtain the following equation for Cfe. 




^ Throughout the paper, the additions in the subscripts are understood as addi- 
tions modulo the degree m, unless otherwise specified. 
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In formula (2), essentially the same expression is used for each coefficient Cfc. 
More specifically, given the expression for Ck, one can just increase the subscripts 
of a and b by one (modulo m) to obtain the expression for Ck+i- Formula (2) 
will be useful in later discussions. 



2.3 Multiplication with Optimal Normal Basis 

An optimal normal basis (ONB) [1,12] is a normal basis which has the lowest 
complexity. That is. Cm = 2m — 1. Optimal normal bases only exist for certain 
degree m. In the range [150, 600], there are only 101 degrees for which ONB 
exists. 

There are two kinds of normal basis called type I ONB and type II ONB. 
They differ in the mathematical formulas which define them. The matrix M has 
the form that the first row has a single non-zero entry, and the rest of each row 
has exactly two non-zero entries. So the matrix M can be stored more compactly 
using two tables tl[i] and t2[i\, which are the indices of the two non-zero entries 
in row i of M . Using tl and t2, formula (2) can be rewritten as follows. 



Ck — ‘ ^il[0]+/i:) ® © ‘ (ptl[i]+k © ^i2[z]+fc)] 



, i=l 



(3) 



3 Related Work 

3.1 Hardware 

In formula (1), when a new bit Ck needs to be computed, the coefficients of both 
a and b are rotated to the left by one bit. This fact is useful for efficient hardware 
implementation of normal basis multiplication [9,10,11], since the same circuit 
that represents M can be repeatedly used and each coefficient can be computed 
in one clock cycle. 

Even though the sequence of operations for each coefficient is easily paral- 
lelized in hardware, it is quite difficult to mimic the same technique in a software 
implementation since these operations are inherently sequential in software. 

3.2 Software 

Fast software implementation techniques for normal basis multiplication have 
been centered around optimal normal basis. In [7], a method for type I optimal 
normal basis was considered. The idea is to use polynomial-basis-like multipli- 
cation and take advantage of the special form of the irreducible polynomials for 
type I ONB. Their method does not seem to extend to type II ONB or other 
normal basis. 

In [14], Rosing presented an efficient method for ONB multiplication. The 
main idea is that the partial sum ak+i ■ {bti[i]+k ® bt 2 [i]+k) in formula (3) can 
be computed simultaneously for different coefficients (different subscript i) using 
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word operations in software. To do this, some preprocessing of b is necessary. At 
a high level, Rosing’s method can be summarized as follows. 

— Precomputation: compute and store m rotations of b. 

— Main loop: for each i = 1,2, ...,m — 1, compute the partial sum Ok+i ‘ 
{bti[i]+k ® bt 2 [i]+k)- As a special case, when i = 0, the partial sum ak-bti[o]+k 
is computed. 

In the main loop, each partial sum is computed in 0{m/w) operations, for a 
total of 0{rn^ /w) operation. For the precomputation, the number of operations 
for computing all rotations of b is also 0{m? /w), and the total number of bytes 
stored is rr? j%. Note that for precomputation, both time and memory grow 
quadratically as m increases. 

Our approach does share a feature similar to Rosing’s method: Our approach 
also computes multiple bits of the (partial) result simultaneously using word op- 
erations. However, our approach employs a very different precomputation tech- 
nique. As we will show in section 5, our technique reduces the time and memory 
complexity for precomputation from quadratic to linear, yielding a much more 
efficient algorithm than Rosing’s method. 

Reyhani-Masoleh et al. recently proposed a series of fast normal basis multi- 
plication algorithms based on some mathematical transformations [15]. Accord- 
ing to their timing result [15], our approach is about twice as fast as their most 
efficient algorithm. For example, the running time for m = 299 (ONB) reported 
in [15] is 114 \xs on Pentium III 533 MHz, which can be scaled to 101 /rs on 
Pentium HI 600 MHz (our platform). In comparison, our implementation takes 
42.36 /is on Pentium HI 600 MHz. Note that it is possible to combine our tech- 
niques with those in [15]; however, we do not cover this topic here but consider 
it as possible future work. 

4 Our Techniques 

In this section, we present our techniques for an efficient software implementation 
of normal basis multiplication. We begin with a basic method for general normal 
basis. Then, we present a simple yet effective improvement to the basic method. 
Finally, we discuss how our approach can be applied to ONB to provide much 
better performance. 

4.1 The Basic Method 

At the core of our method is a new way of doing the precomputation, which 
significantly reduces both time and memory complexity. First, we define the 
quantities that need to be precomputed. For i = 0, 1, ..., m — 1, let 

A[z] (uj , , . . . , 1 ) 7 

.R[^] — (^i 5 — l) j 

C{i] — (cj , c^^-i , . . . , i) . 
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In other words, each A[i] has length w and they are the successive blocks of 
a in a wrap-around fashion, and similarly for B[i] and C[i]. It is easy to see that 
c = {C[{)],C['w\,C[2w], ■■ ■ , C[{^ — l)rc]). Now we can rewrite formula (2) using 
A, B,C as follows: 

For t from 0 to {m/w — 1) 



C[wt] = ^ 



2=0 



A[{i + wt) mod m] ■ (© M[i,j]B[{j + wt) mod m] 
j=o 



■ ( 4 ) 



We can see that the total number of equations in formula (4) is mjw, and one 
equation in formula (4) corresponds to w consecutive equations in formula (1) 
or formula (2). In software implementation of formula (4), can be computed 
as a bit-wise AND operation between two words, and “ 0 ” can be computed 
as a bit-wise Exclusive-OR operation between two words. Therefore, during the 
computation process, the quantities involved are only A[i]’s and B[i]’s which have 
already been precomputed, and the operations involved are only word operations. 

The following gives a straightforward implementation of formula (4) in C. 



Algorithm 1. 

precompute arrays A and B; 

for (t = 0; t < (m/w); t++) { 

C[w*t] = 0; 

for (i = 0; i < m; i++) { 
temp = 0 ; 

for (j = 0; j < m; j++) 

if (M[i,j]==l) temp A= B [(j+w*t)°/om] ; 

C[w*t] A= A[(i+w*t)7„m] & temp; 

} 

} 

The total number of word operations for the main loop is 0{Cm • m/w). The 
number of operations for precomputing the arrays A and B is 0(m), and the 
total number of precomputed bytes is 2 x m x (w/8) = w ■ m/ A, which is 8m 
for typical PC implementation. Note that both time and memory complexity is 
linear in m for the precomputation phase. 



4.2 Further Optimization 

We can further speed up the basic method in Section 4.1 by precomputing and 
storing the arrays A and B in a clever way to avoid all the modulo m computation 
for indexing in the main loop. 

To achieve this, we first extend the definition of array A and B as follows: 
For i = 0, ...m — 1, we define^ 

A[i + m]= A[i] = (a*, a^+l , ..., 

B[i + m] = B[i] = {bi, 6i+i, ..., 6*+u,_i). 

Here, the addition in A[i + m] and B[i m] is a real addition without modulo m. 



3 
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We precompute array A and B, each of which consists of 2m elements of 
length w: 

A[0], A[l], A[m — 1], A[m], A[m + 1], A\lm — 1], 
B[%B[l],...,B[m-l],B[m\,B[m+l],...,B[2m-l]. 

Given A and B, we can improve the C code in Section 4.1: 

Algorithm 2. 

precompute arrays A and B; 
for (k = 0; k < m; k += w) { 

C[k] = 0; 

for (i = 0; i < m; i++) { 
temp = 0 ; 

for (j = 0; j < m; j++) 

if (M[i,j]==l) temp A= B[j]; 

C [k] A= A[i] & temp; 

} 

A += w; B += w; 

} 

The idea in the above code is the following: When computing we 

use word 0 through to — 1 in array A and B (that is, the first to words). 
When computing C'[tc], we use word w through w + m — 1 in array A and B, 
which is accomplished by two easy pointer jumping. Similarly, we can compute 
C[2w ], ..., C[m — tu]. 

This way, the arrays A and B are accessed sequentially within the main loop, 
significantly improving the speed at some cost of the memory. The number of 
operations for precomputing A and B remains the same, and the total number 
of precomputed bytes is w ■ m/2, which is 16 to for typical PC implementation. 

4.3 Applying the Techniques to ONB 

Algorithm 2 in the preceding section can be simplified using the fact that the 
inner loop j no longer exists for ONB, since it only involves one or two elements 
of B. Here we assume the non-zero entry of the first row of M is stored in tl [0] 
and the two non-zero entries of row i (0 < z < to) are stored in tl [i] and t2 [i] , 
respectively (see section 2.3). 

Algorithm 3. 

precompute arrays A and B; 
for (k = 0; k < m; k += w) { 
temp = A [0] & B[tl[0]]; 
for (i = 0; i < m; i++) 

temp A= A[i] & (B[tl[i]] A B[t2[i]]); 

C [k] = temp; 

A += w; B += w; 



} 




184 



P. Ning and Y.L. Yin 



The implementation for type I ONB can be further improved by taking ad- 
vantage of the special form of its multiplication matrix. For type I ONB, the 
non-zero entry of the first row of M is always in column m/2, and one of the 
two non-zero entries of row i is in column mj2 + i mod m [14]. Thus, we can 
compute one non-zero entry row i of M, say tl [i] , as z -I- m/2 mod m. 

This fact can be combined with the precomputation to reduce one table 
lookup in the inner loop of Algorithm 3. The idea is to further extend the array 
B by m/2 words such that for i = 2m, 2m -1-1, • • • , 2m -I- m/2 — 1, B[i] = — 

Then B[tl[z]] = B[i+m/2 mod m] in the inner loop can be replaced by B[i+m/2] 
(without involving the mod operation), and thus we can use another pointer 
D = B + m/2 and further replace B[i + m/2] with D[i], As a result, the above 
code can be improved as follows. 

Algorithm 4. 

precompute arrays A and B; 

D = B + m/2; 

for (k = 0; k < m; k += w) { 
temp = A [0] & D [0] ; 
for (i = 1; i < m; i ++) 

temp A= A[i] & (D[i] A B[t2[i]]); 

C [k] = temp; 

A += w; B += w; D += w; 

} 

5 Performance Results 

To evaluate the performance of our methods, we performed a series of exper- 
iments for both type I and type II ONB on a Pentium III 600 PC running 
Windows 2000 Professional. The programs were written in C, and the timing 
results were computed by averaging the timing for 100,000 multiplications of 
random field elements. The rest of this section gives the performance data. In 
particular, our methods are compared with Rosing’s method in terms of timings 
and memory requirements. 

In FIPS 186-2 [16], NIST recommenced 10 finite fields: 5 prime fields and 
5 binary fields. The lengths of the fields were chosen so that the corresponding 
elliptic curve cryptographic (ECC) systems would have comparable security to 
symmetric ciphers of key lengths 80, 112, 128, 192, 256. Since ONB does not 
exist for every field length m, we choose field lengths that are closest to the 
NIST recommenced field lengths. Table 1 lists the specific field lengths. 

Table 2 shows the timings of type I ONB multiplications for the dimensions 
in table 1. Compared with Rosing’s method, our general method (Algorithm 3) 
reduces the execution time for type I ONB multiplication by about 70%, while 
our enhanced method (Algorithm 4) further reduces the time by about 5%. As 
a result, the execution time of type I ONB multiplication is reduced by about 
75%. Table 3 shows the timings of type II ONB multiplications for the dimen- 
sions listed in table 1. Though Algorithm 4 cannot be applied to type II ONB, 
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Table 1. NIST recommenced lengths of binary finite field for ECC. 



Symmetric cipher 
key length 


Algorithms 


Dimension m of 
GF(2™-) 


Type I ONB 


Type II ONB 


80 


Skipjack 


163 


162 


158 


112 


triple-DES 


233 


226 


233 


128 


AES-128 


283 


292 


281 


192 


AES-192 


409 


418 


410 


256 


AES-256 


571 


562 


575 



Table 2. Timings for multiplication with Type I ONB (/is). 



Dimension m 


Rosing 


Algorithm 3 


Time Reduced 


Algorithm 4 


Time Reduced 


162 


55.48 


17.5 


68.46% 


14.62 


73.65% 


226 


92.74 


28.05 


69.75% 


23.53 


74.63% 


292 


137.39 


41.55 


69.76% 


34.35 


75.00% 


418 


257.57 


76.6 


70.26% 


62.19 


75.86% 


562 


426.21 


125.2 


70.62% 


98.64 


76.86% 



Table 3. Timings for multiplication with Type II ONB (fis). 



Dimension m 


Rosing 


Algorithm 3 


Time Reduced 


158 


41.26 


14.12 


66.78% 


233 


97.44 


28.64 


70.61% 


281 


124.68 


36.75 


70.52% 


410 


240.05 


70.1 


70.80% 


575 


433.42 


127.59 


70.56% 



Algorithm 3 still reduces the execution time by about 70% compared with Ros- 
ing’s method. It is not difficult to conclude that our methods significantly reduce 
the time required for multiplication. Figure 1 also shows the overall timings for 
all three methods, where the dimension m ranges from 150 to 600. 

Our methods not only save the execution time of ONB multiplications, but 
also reduce the memory requirements compared with Rosing’s method. To save 
the precomputed rotations of one operand, Rosing’s method requires a tempo- 
rary array having m entries, each of which keeps one rotation of the operand. 
Thus, Rosing’s method requires m^/8 bytes. In contrast, our general method 
(Algorithm 3) needs 2m ■ w/8 bytes for each operand, and therefore totally re- 
quires m-wj2 bytes. Our enhanced method for type I ONB (Algorithm 4) needs 
additional m-w/16 bytes, and thus requires 9m-w/l6 bytes in total. As shown in 
table 4, Algorithm 3 reduces the memory requirement up to 77%, and Algorithm 
4 reduces the memory requirement up to 74% for the dimensions in table 1. 
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X Rosing's Method 
— Algorithm 3 
♦ Algorithm 4 




Fig. 1. Timings for all three methods with m ranging from 150 to 600. 



Table 4. Memory requirements for precomputation: number of precomputed bytes 
(w = 32). 



Dimension 

m 


Rosing’s 

Method 

(mV8) 


Algorithm 3 
{w ■ m/2) 


Memory 

Reduced 


Algorithm 4 
for Type I ONB 
(9w • m/16) 


Memory 

Reduced 


158 


3.05K 


2.47K 


18.99% 


- 


- 


162 


3.20K 


2.53K 


20.99% 


2.85K 


11.11% 


226 


6.23K 


3.53K 


43.36% 


3.97K 


36.28% 


233 


6.63K 


3.64K 


45.06% 


- 


- 


281 


9.64K 


4.39K 


54.45% 


- 


- 


292 


10.41K 


4.56K 


56.16% 


5.13K 


50.68% 


410 


20.52K 


6.41K 


68.78% 


- 


- 


418 


21.33K 


6.53K 


69.38% 


7.35K 


65.55% 


562 


38.56K 


8.78K 


77.22% 


9.88K 


74.38% 


575 


40.36K 


8.98K 


77.74% 


- 


- 



6 Discussions 

Normal basis vs. polynomial basis. For interoperability, it is desirable to 
support both bases in software, which can be done either by implementing both 
bases directly or by implementing one basis together with basis conversion algo- 
rithms. 

Various software implementation techniques for polynomial basis have been 
proposed in recent years. The fastest method is described in [8], and a good 
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survey is given in [3]. Some of the techniques can be very efficient when special 
irreducible polynomials are used. So the question is whether it is enough to just 
support polynomial basis in software together with basis conversion. 

The general method for basis conversion involves storing a conversion ma- 
trix W and computing a matrix- vector multiplication for each conversion [4]. 
The size of W is m} j% bytes, which can be quite large for memory constraint 
devices. For example, when m = 512, the memory requirement is over 32if 
bytes (and 64iF bytes if both W and W~^ are stored for efficient conversion in 
both directions). Methods for storage efficient basis conversion were proposed 
in [5,6]. Such methods only need to store 0(m) bytes and then each conversion 
takes about 0(m) field multiplication. The extra 0{m) multiplication can be 
a slowdown factor for some implementation. We note that all the basis conver- 
sion methods assume that both bases are known before the communication, and 
certain quantities related to both bases (e.g., W) are already precomputed and 
stored. While this is easily done for certain applications, it may not be the case 
for other applications. In general, computing these quantities on the fly can be 
time consuming, which adds more complexity to basis conversion. Therefore, due 
to the overhead of basis conversion, sometimes supporting both bases directly 
seems preferable than basis conversion. 



Using the new techniques in ECC arithmetic. Our techniques for held 
multiplication can be combined with elliptic curve arithmetic to provide further 
speed up. Since some held elements are repeatedly used in ECC operations, we 
do not have to perform precomputation for these elements after the first time 
they are involved in a multiplication. For example, using projective coordinates, 
we need 15 finite held multiplication for point addition. Using our method, each 
multiplication needs to precompute one array for each of the two operands. So 
we totally need to precompute 30 arrays. By storing some of the precomputed 
results, the number of precomputed arrays can be reduced to 20. This can be 
used to further reduce the time for point additions. For example, the precom- 
putation of each operand for GF(2^®^) multiplication takes about 20% of the 
total multiplication time. Thus, we can save another 13% for each point addition 
reusing the precomputed results. 

7 Conclusions 

In this paper, we studied efficient software implementation for GF(2^) multi- 
plication in normal basis. We presented new techniques for normal basis multi- 
plication. In particular, our methods were optimized for both type I and type 
II ONB. Our techniques are more efficient in terms of both speed and memory 
compared with alternative approaches. 
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Abstract. The Internet is used by more and more people for personal 
and business related communication. This paper presents an integrated 
scheme for playing lottery on the Internet, which includes purchase of 
tickets, generation of winning number, and claiming of prize. Fairness 
between the customer and the service provider is maintained at the stages 
of purchasing tickets and claiming prize. The customer’s identity is kept 
anonymous to the service provider. The sum of sold tickets and the sum of 
winning tickets are publicly verifiable. The winning number is generated 
randomly but verifiably. These features will increase the customer’s trust 
in the Internet lottery service. 



1 Introduction 

Lottery is one of the most widespread forms of gambling in the world. A typical 
lottery service operates in the following way. 

1. The customer selects the type of lottery service and his lucky number. 

2. The customer gets the quotation from the service provider. 

3. The customer and the service provider exchange the lottery ticket and the 
payment physically. 

4. The service provider generates and publishes the winning number. 

5. The winning customer claims the prize. The service provider will verify the 
winning ticket before the prize is awarded. 

The traditional lottery service has some limitations. Customers need to go 
to an outlet to buy lottery tickets. They may have to join a long queue in front 
of the outlet. Obviously, this is less efficient for customers. If customers do not 
have time to buy lottery tickets personally, they may trouble their friends or 
relatives to buy tickets for them. Then the customers’ anonymity cannot be well 
protected. These limitations could be removed if customers can play lottery over 
the Internet. 
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In this paper, we present a secure and integrated Internet lottery scheme, 
which includes purchase of tickets, generation of winning number, and claiming 
of prize. We identify the desired security requirements for playing lottery on 
the Internet in Section 2, and review the related work in Section 3. Then, we 
give an overview of our scheme in Section 4, and propose detailed protocols in 
Section 5. We conclude the paper in Section 6. The following basic notation is 
used throughout the paper. 

• X,Y: concatenation of two messages X and Y. 

• H{X): a one-way hash function of message X. 

• eK{X) and dK{X): encryption and decryption of message X with key K. 

• sS'yi(X): party A’s digital signature on message X with key Sa- 

• Sa and Va- party ^’s private signature key and public verification key. 

• Pa and : party A’s public encryption key and private decryption key. 

• A ^ B : X: party A sends message X to party B. 

2 Security Requirements 

When playing lottery on the Internet, the following security requirements should 
be taken into consideration. 

Rl. Fairness on purchase of tickets and claiming of prize 

In the traditional lottery service, when a customer buys a lottery ticket from 
the service provider, they exchange the money and the ticket face to face, thus 
fairness is maintained. This is also true when a winner claims the prize from 
the service provider. In the Internet lottery service, however, the customer and 
the service provider are distributed over the Internet. After one party receives 
the other party’s item, it may refuse to send its item to the other party, which 
leaves the other party in an unfair situation. Therefore, a security mechanism 
is needed to achieve fairness such that either each party gets the other party’s 
item, or no party gets the other party’s item at the end of a transaction. Several 
fair exchange mechanisms are available to satisfy the requirement [1,2,3]. 

R2. Anonymity of lottery players 

In the traditional lottery service, when the customer buys a lottery ticket at 
an outlet, he only needs to pay cash for the ticket. No one knows who the buyer 
is. If the customer is a winner, he can get the prize by showing the winning 
ticket. The customer’s identity is kept anonymous at the stages of purchasing 
tickets and claiming prize, thus protecting jackpot winners against blackmail. 
This requirement is also desirable in the Internet lottery service. An anony- 
mous electronic fund transfer system is needed such that purchase of tickets and 
claiming of prize will not disclose the customer’s identity. The requirement of 
anonymity has been widely discussed in electronic payment systems [4,5,6,13]. 
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R3. Verifiable sum of sold and winning tickets 

In the traditional lottery service, the sum of sold tickets is counted by the 
service provider. As the amount of winning prize is usually related to the sum 
of sold tickets, the service provider might publish a sum smaller than the actual 
sum of sold tickets. In addition, the amount of winning prize is usually related to 
the sum of winning tickets, the service provider might fake winning tickets thus 
the actual winners will get less of a prize. In the Internet lottery service, it is 
possible to make the sum of sold tickets and the sum of winning tickets publicly 
verifiable by the use of cryptographic techniques. 

R4. Random and verifiable generation of winning number 

The winning number should be selected randomly and no ticket is predictably 
more likely to win than any other tickets. In the traditional lottery service, a 
random process may be executed or monitored by an outside auditor for the 
generation of winning number. Unfortunately, as the random process is not re- 
peatable, customers have to trust both the process and the auditing organisation. 
In the Internet lottery service, it is possible to generate the winning number ran- 
domly but publicly verifiable by the use of cryptographic techniques. 

3 Previous Work 

Some research papers on the lottery service have been published in recent years. 
Rivest proposed a micropayment scheme based on the use of “electronic lottery 
tickets” in [10]. In such a scheme, the bank provides an electronic credential 
to the customer with the micropayment account in good standing. With the 
credential, the customer can generate lottery tickets and use them to pay for 
some services provided by the vender. The vender can verify whether a lottery 
ticket is a winning ticket and claim payment via the bank. The bank pays off 
winning tickets issued by the customer from the customer’s account. This scheme 
greatly reduces the bank’s processing costs since the bank handles only winning 
tickets instead of each micropayment. Obviously, this scheme is different from 
the real lottery services, where the roles of buyer and seller are turned around. 

Goldschlag and Stubblebine proposed a publicly verifiable lottery scheme 
based on a delaying function [8] . Each lottery ticket has an equal chance of being 
selected as a winning ticket. Anyone can calculate the winning number based 
on the parameters of purchased tickets, and the winning number calculation is 
repeatable. Since the calculation uses a delaying function, nobody can get the 
result before the lottery closes. 

Syverson presented two versions of a lottery scheme based on the application 
of the weak protection of secrets [12]. The winning number is determined by the 
ticket numbers purchased, but no one can control the outcome or determine what 
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it is until after the lottery closes. This is because the outcome is kept secret in 
a way that is breakable after a predictable amount of time and/or computation. 

Sako presented the design and implementation of a lottery server on WWW 

[11] . The server allows users to define and start a lottery session, participate 
in that session, and verify its outcome. When a lottery session is initiated, each 
player submits a random number to the server. The server generates the outcome 
using a one-way hash function with the concatenation of each player’s random 
number as the input. A rule could be defined to select the winner based on the 
random and verifiable outcome. 

All of these schemes are mainly focused on the mechanisms of winning num- 
ber generation. There are no integrated mechanisms on fair payment for lottery 
tickets and claiming of prize. Moreover, the customer’s anonymity is not consid- 
ered either. 

4 Overview of a New Scheme 

The parties involved in our Internet lottery scheme are the lottery service 
provider S, the customer C, the bank B, and an off-line trusted third party 
TTP. There are several publicly announced dates which are announced well in 
advance of the running of the lottery service. 

— open of ticket sale: a time after which customers can purchase lottery tickets. 

— close of ticket sale: a time after which no new tickets can be purchased. 

— close of winning number generation: a deadline for customers to be involved 
in the generation of winning number. 

We assume that the lottery is simple parimutuel, i.e. the amount of winning 
prize is solely from the sold tickets, and there is no roll-over of winning prize 

[12] . We also assume that both the lottery service provider and the customer 
have an account at their bank. 



Purchase of Tickets. A run of Internet lottery starts at the time of open of 
ticket sale. The customer first selects his lucky number N. He also generates two 
random numbers Ri and i? 2 > which will be used in the generation of winning 
number and claiming of prize (if he is a winner) respectively. Then, the customer 
submits {N, H{Ri), H{R2)) to the service provider, and gets the quotation from 
the service provider. After this, the customer requests a cash order from the bank, 
and exchanges the cash order for the lottery ticket with the service provider. 
When the service provider deposits the cash order into the bank, the service 
provider’s account will be credited and the customer’s account will be debited. 
The lottery ticket issued by the service provider contains a transaction number, 
a serial number, the ticket value, and {N , H (Ri) , H {R 2 )) . 
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By the use of a new cryptographic primitive, called the Certificate of En- 
crypted Message Being a Signature (CEMBS) [3], the customer and the service 
provider can fairly exchange the cash order and the lottery ticket. An off-line 
TTP will be involved only if there is something wrong in the exchange. To pre- 
serve the customer’s anonymity, the customer’s identity in the cash order is not 
disclosed to the service provider, and the ownership of a lottery ticket is not 
identified by the customer’s identity. To make the sum of sold and winning tick- 
ets publicly verifiable, the service provider needs to maintain a one-way hash 
chain. Each sold ticket should be linked into the hash chain. The initial output 
and the final output of the hash chain, as well as all of the sold tickets should 
be published at the time of close of ticket sale. 



Generation of Winning Number. After the ticket-selling session is closed, 
each customer could be involved in the generation of winning number by sub- 
mitting his random number Ri to the service provider. If there is a denial of 
service attack, customers can submit their R\ to an off-line TTP, which are then 
forwarded to the service provider. The service provider can verify Ri by checking 
whether there is a ticket containing H{Ri). Only valid submissions are used in 
the generation of winning number. The outcome remains random even if most 
of customers do not submit R\ for the generation of winning number. 

The service provider needs to publish all valid submissions received before 
the deadline of close of winning number generation, thus the process of winning 
number generation is publicly verifiable, and nobody can predict the outcome 
before the deadline. As all of the sold tickets are chained and the chain is pub- 
licly verifiable, the sum of winning tickets is also publicly verifiable. The service 
provider cannot forge winning tickets without being detected. 



Claiming of Prize. After the winning number is generated, the winning cus- 
tomer claims his prize. The customer first submits his winning ticket to the 
service provider for verification. If the service provider does not hold R2 cor- 
responding to in the winning ticket, it means the prize has not been 

claimed. Then, the service provider requests a cash order from the bank, and 
exchanges the cash order for i?2 with the customer. When the customer deposits 
the cash order into the bank, the customer’s account will be credited and the 
service provider’s account will be debited. 

We use the same techniques as in the ticket-selling session to keep the cus- 
tomer’s identity anonymous to the service provider and make the process of prize 
claim fair to both parties. 



Definition of CEMBS. The CEMBS technique can be used to prove that an 
encrypted message is a certain party’s signature on a public file without revealing 
the signature. 
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Suppose s = sSA{rn) is party A’s digital signature on m, and c = ePTTp(s) 
is the cipher text of s encrypted with the trusted third party’s public encryption 
key. A can generate a CEMBS, denoted as Cert, to prove that c is indeed the en- 
cryption of the signature s without disclosing s. There exists a public verification 
algorithm Veri to check whether {m,c,Cert) is valid. 

Veri(m, c, Cert, Va, Pttp) = ye-s or no 

If yes, the verifier will be convinced that dP^j,p{c) = sSA{rn). 

A CEMBS could be constructed on the ElGamal public key encryption 
scheme [7] and the Guillou-Quisquater signature scheme [9]. 

5 An Internet Lottery Scheme 

The following notation is used in the description of our Internet lottery scheme. 

• N: the lucky number selected by C. 

• Ri, R 2 ~. the random numbers generated by C . 

• $_G, $_S: the amount of payment for purchase of ticket and for claiming of 
prize, respectively. 

• TID: the transaction ID generated by S. 

• tickeCno: the serial number of a lottery ticket generated by S. 

• ticket = sSs{TID,ticketjno,%-C,N,H{Ri),H{R 2 ))-. a lottery ticket issued 
by S. 

• salti, salt 2 - the random salts generated by C. 

• AccounCC, Accounts-, the bank account numbers of C and S, respectively. 

• formJJ = ePsiAccount-C, salti). Accounts, $-C, TID, N, H{Ri), H{R 2 ): 
the content of an electronic cash order for purchase of ticket. 

• formS = Accounts, ePB{AccountJJ, salt 2 ), $S, ticket-, the content of an 
electronic cash order for claiming of prize. 

• cashJC = sSsiform-C): an electronic cash order issued to C by B. 

• cashS = sSsiformS): an electronic cash order issued to S by B. 

• cipher -Cash JJ = cPtt p{cashJJ)-. the cipher text of cash-C encrypted with 
the TTP's public encryption key. 

• cipher -cashS = cPtt p{cashS)-. the cipher text of cashS encrypted with 
the TTP's public encryption key. 

• Cert-C: a CEMBS generated by C which can be used to verify whether 
cipher -cash-C is the cipher text of B's signature on forru-C, i.e. 

Yevi{f or mJC, cipher -Cash JC, Cert _C, Vb,Pttp) = yes or no 

• Certs-, a CEMBS generated by S which can be used to verify whether 
cipher -cashS is the cipher text of B's signature on formS, i.e. 

Yevi{formS, cipher _cashS, CertS, Vb, Pttp) = yes or no 
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5.1 Protocol 1: Purchase of Tickets 

The protocol for purchase of ticket is as follows. 

1. S : N, H{Ri), H{R2) 

2. S ^ C : TID, $_C, Accounts 

3. C ^ B : form.C, sSciform.C) 

4. B ^ C : ePc{cashJC) 

5. C ^ S : TID, ePB{AccountJJ, salti), cipher -cash JJ, CertJJ 

6. S' — 1 C : TID, ticket jno, ticket 

7. S : TID, cash.C 

8. S ^ B : forni-C, cashJJ 

At Step 1, the customer selects his lucky number N , generates two ran- 
dom numbers and calculates their hash values. The customer sends 

{N , H (Ri) , H {R 2 )) to the service provider, and keeps (i?i, S 2 ) confidential. Upon 
receiving the customer’s purchase request, the service provider offers the quota- 
tion $_C at Step 2. TID is used to identify the transaction, and Accounts is the 
service provider’s bank account number for receiving the customer’s payment. 

Upon receiving the quotation, the customer requests a cash order from the 
bank at Step 3. After authenticating the request with the customer’s signature 
and checking the balance of the customer’s account, the bank issues the cash or- 
der cash-C at Step 4. The cash order specifies the debiting account { Account -C), 
the crediting account (Accounts), the amount of payment ($-C), and the pur- 
pose of payment (TID, N , H(Ri) , H(R 2 )) . The bank may freeze the amount of 
payment in the customer’s account until cash-C expires or the recipient claims 
the payment with cash_C. To preserve the customer’s anonymity, Accounts is 
encrypted with the bank’s public encryption key To prevent cashS from being 
intercepted by the service provider before issuing the ticket, it is encrypted with 
the customer’s public encryption key in transmission at Step 4. 

After receiving the cash order from the bank, the customer generates the 
cipher cash order (cipher -cash _C) and a CEMBS certificate (Cert-C), and sends 
them to the service provider at Step 5. The service provider can verify whether 
cipher-cash-C is indeed the bank’s signature on formS, and whether the cred- 
iting account number and the amount of payment are correct. If so, it issues 
the lottery ticket to the customer at Step 6 Upon receiving ticket, the cus- 
tomer checks (N, H(Ri), H(R 2 )) to see whether the ticket is what he intends to 
buy. If so, the customer sends the cash order (cash-C) to the service provider 
at Step 7. The service provider can get the payment by depositing cashS into 
the bank at Step 8. The bank gets the debiting account number by decrypting 
ePs (Accounts, salti), and transfers $S from Accounts to Accounts. 

^ To make the customer’s repeat transactions unlinkable by the service provider, a 
random salt is attached to Accounts before encryption. 

^ If the service provider aborts after Step 5, the transaction status may not be decided 
until the time of close of ticket sale. 
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Occasionally, the customer may dislike the lottery ticket he just bought, and 
wants to abort the transaction by not sending cash-C to the service provider 
at Step 7. Obviously, this is unfair to the service provider where it has issued 
the ticket to the customer without receiving the payment. With the recovery 
sub-protocol below, the service provider could force the transaction by sending 
the lottery ticket and the encrypted cash order to the TTP in exchange of the 
decrypted cash order. 

7.1 S' — >■ TTP : formJJ, cipher ^cashJJ , ticket jno, ticket 

7.2 TTP S : TID, cash^C 

7.3 TTP — >■ C : TID, ticket-no, ticket 

The service provider sends out the recovery request at Step 7.1. The TTP can 
get cash_C by decrypting cipher -cash_C. Then the TTP checks whether cash-C 
is the payment for ticket by comparing {% -C , N , H {Ri) , H {R 2 )) in cash-C and 
ticket. The TTP also checks whether the time of close of ticket sale has not 
passed yet. If so, the TTP sends cash-C to the service provider at Step 7.2, 
and ticket to the customer at Step 7.3. If the recovery request arrives after the 
time of close of ticket sale but before the deadline of close of winning number 
generation, the TTP only issues a signed revocation notice to both parties, with 
which the service provider could exclude the ticket as a valid one. 

The lottery ticket issued by the service provider need not be kept confidential. 
Nobody can claim the prize from the service provider even if holding a winning 
ticket unless i ?2 is presented, which is only known to the customer who bought 
the ticket. 

Once a ticket is sold to the customer, the service provider should link the 
ticket to a one-way hash chain. Suppose the sum of lottery tickets sold by the 
time of close of ticket sale is j. The hash chain could be created as follows. 

chaini = H{ticketi) 
chaiu 2 = H {chaini, ticket 2 ) 



chaiuj = H {chaiuj-i, ticket j) 

The service provider needs to publish chaini and chain j, as well as ticketi 
{i = l,2,---,j) at the time of close of ticket sale. Then, each customer can 
check whether his ticket is included in the hash chain, and the total number of 
sold tickets is publicly verifiable. tickeCno could be used to quickly identify the 
location of a ticket in the hash chain ^ . 



® To maintain the scalability, the service provider could create multiple hash chains 
and allow customers to select which chain their tickets are linked to. The name of 
the selected hash chain will be added into ticket and used with ticket-uo to identify 
the ticket location. 
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The service provider might issue “free” lottery tickets to itself. However, this 
does not bring profit to the service provider in the simple parimutuel lottery. As 
any valid ticket has to be linked into the hash chain and the total number of sold 
tickets is publicly verifiable, these “free” tickets will increase the corresponding 
amount of winning prize. As we will see in Section 5.2 that the generation of 
winning number is random and out of the service provider’s control, these “free” 
tickets have no higher chance than other tickets to be winning tickets. If they 
are not selected as winning tickets, the service provider has to pay for them to 
compensate the actual amount of winning prize. 



5.2 Protocol 2: Generation of Winning Number 

After the ticket-selling session is closed, each customer could be involved in 
the generation of winning number by submitting his random number Ri to the 
service provider. A signed receipt might be requested by the customer. The 
protocol for generation of winning number is as follows. 

1. C ^ S : ticket jno, R\ 

2. S ^ C : sSs{ticket-no, Ri) 

Of course, if a customer does not want to be involved in the generation of 
winning number, he can simply give up the right. To make the outcome unpre- 
dictable to anybody, we assume there are at least two non-colluding customers 
who submitted their R\ to the service provider. The customer’s optional in- 
volvement improves the scalability compared with the proposal in [11] where 
the winning number cannot be generated as long as one of the customers does 
not co-operate. 

If there is a denial of service attack when a customer submits his i?i to the 
service provider for the generation of winning number, he may invoke the service 
from an off-line TTP 

1. C — >■ TTP : ticket jno, R\ 

2. TTP ^ C : s Sttp {ticket jno,R\) 

The TTP passes these submissions received by the deadline of close of win- 
ning number generation to the service provider. Thus, the service provider cannot 
influence the outcome by deliberately rejecting some submissions. 

Suppose i?ii, i?i 2 , • • • , Rik are the random numbers received by the deadline 
of close of winning number generation. Without knowing the customer’s identity, 
the service provider can verify Ru {i = 1, 2, • • • , fc) by checking whether there is 
a ticket containing H{Ru). Only valid submissions are used in the generation 

^ It mainly protects against the denial of service attack from a dishonest service 
provider that intends to influence the outcome of winning number generation. Other 
measures are needed to protect against the distributed denial of service attacks. 
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of winning number. The service provider needs to publish these submissions. 
Thus, customers who made valid submissions can check whether their random 
numbers are used in the generation of winning number. If not, customers can 
use the signed receipts to prove the service provider’s misbehaviour. 

Suppose all of the above submissions are valid. The winning number could 
be generated by the use of a one-way hash function with Ru (i = 1, 2, • • • , /c) as 
its input. A pre-defined rule could be used to map the winning number to the 
winning tickets. 



winning number = H{Rn, i?i 2 , • • • , R\k) 

The number of submissions and each submission received from customers are 
random, thus nobody (not even the service provider) can predict the outcome 
before the deadline of close of winning number generation. Further, with a one- 
way hash function, it is computationally infeasible to find the pre-image of a 
designated winning number. 

As the random numbers used in the generation of winning number are pub- 
lished, the process of winning number generation is publicly verifiable. In addi- 
tion, as the initial output and the final output of the chained tickets have also 
been published, each winning ticket is publicly verifiable as well. It is compu- 
tationally hard for the service provider to forge a winning ticket without being 
detected. 

In practice, random numbers submitted to the service provider may not be 
published instantaneously and the clock may not be well synchronized among all 
participants. Then, a dishonest service provider may try to fiddle the outcome 
of winning number generation by adding the favorite random numbers of its 
valid tickets soon after the deadline of close of winning number generation. To 
prevent such kind of possible cheating, a delaying function [8] could be used in 
the generation of winning number thus the service provider cannot get the result 
of winning number until actually publishing all valid random numbers received 
by the deadline. 



5.3 Protocol 3: Claiming of Prize 

The protocol for claiming of prize is as follows. 



1. 
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At Step 1, the customer sends the winning ticket to the service provider. 
The customer’s bank account number {Account-O) is also provided for receiving 
the prize. To keep the customer’s identity anonymous, Account-C, to which a 
random salt is attached, is encrypted with the bank’s public encryption key. 

Upon receiving the winning ticket from the customer, the service provider 
checks whether it is indeed a winning ticket by verifying its lucky number N . The 
service provider further checks whether the prize has been claimed by searching 
i ?2 corresponding to its H{R 2 ). If N is the winning number and i ?2 is not found, 
the service provider requests a cash order from the bank at Step 2. 

After authenticating the request with the service provider’s signature and 
checking the balance of the service provider’s account, the bank issues the cash 
order cash_S at Step 3. The bank may freeze the amount of payment in the ser- 
vice provider’s account until cash^S expires or the recipient claims the payment 
with cashes. To prevent cash^S from being intercepted by the customer before 
releasing R 2 , it is encrypted with the service provider’s public encryption key in 
transmission at Step 3. 

After receiving the cash order from the bank, the service provider generates 
the cipher cash order {cipher -cash_S) and a CEMBS certificate (CerLS), and 
sends them to the customer at Step 4. The customer can verify whether ci- 
pher-cash^S is indeed the bank’s signature on formS, and whether the crediting 
account number and the amount of payment are correct If so, the customer 
releases R 2 to the service provider at Step 5. Upon receiving i? 2 , the service 
provider checks whether i ?2 is the random number matching H{R 2 ) in the win- 
ning ticket. If so, the service provider sends the cash order {cash_S) to the cus- 
tomer at Step 6. The customer can get the payment by depositing cash^S into 
the bank at Step 7. 

In the above prize claim protocol, a dishonest service provider might use its 
advantage in the transaction, i.e. holding R 2 at Step 5, to refuse the payment 
at Step 6 by falsely claiming the prize related to the winning ticket has already 
been paid. Obviously, this is unfair to the customer where he has released R 2 of 
his winning ticket to the service provider without receiving the payment. With 
the recovery sub-protocol below, the customer could get the payment by sending 
the winning ticket plus R 2 as well as the encrypted cash order to the TTP in 
exchange of the decrypted cash order. 

6.1 C — >■ TTP : formS, cipher -cash S, 

TID, ticket-no, $_C, N, H{Ri), H{R 2 ), R 2 

6.2 TTP C : TID, cashS 

6.3 TTP S : TID, i?2 

® Although Account-C is in cipher text, the customer can verify Account-C which is 
encrypted by himself with the bank’s public encryption key at Step 1. 
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The customer sends out the recovery request at Step 6.1 The TTP can get 
cash-S by decrypting cipher-cash.S. Then the TTP checks whether R 2 matches 
H{R 2 ) in ticket which is specified in cashS as the winning ticket for receiving 
the prize. If so, the TTP sends cashS to the customer at Step 6.2, and R 2 to 
the service provider at Step 6.3. Thus, the exchange remains fair. 

6 Conclusion 

The traditional lottery game may exclude busy people to play because of its 
inefficient ticket-selling channel. The Internet lottery game can remove the lim- 
itation and even provide some new features. 

We proposed an integrated Internet lottery scheme covering purchase of tick- 
ets, generation of winning number, and claiming of prize. It has the following 
features. 

— The customer and the service provider need not trust each other. 

— Both the customer and the service provider are guaranteed not to be cheated 
when purchasing tickets and claiming prize. 

— The customer’s identity is not disclosed to the service provider throughout 
the service. 

— The total number of sold tickets and the total number of winning tickets are 
publicly verifiable. The service provider cannot gain profit by hiding lottery 
revenue or faking winning tickets. 

— The winning number is generated randomly. Nobody, not even the service 
provider, can predict the outcome. 

— Each customer has the freedom to be involved or not in the winning number 
generation without affecting the randomness of the outcome. 

— The process of winning number generation is publicly verifiable. 

These features make the Internet lottery service attractive to customers. 
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Abstract. In this paper we study the problem of how to protect users’ privacy in 
web transactions of digital goods. In particular, we introduce a system which 
allows a user to disclose his/her identity information (such as user account or 
credit card number) to a web site in exchange for a digital item, but privents the 
web site from learning which specific item the user intends to obtain. The 
problem concerned here is orthogonal to the problem of anonymous 
transactions [RSG98, RR98] but commensurate with the general problem of 
PIR (private information retrieval) [CGK95, CG97]. Most of the existing results 
in PIR, however, are theoretical in nature and can not be applied in practice due 
to their large communication and computational overheads. In the present 
paper, we introduce two practical solutions that satisfy the above two 
requirements and analyze their security and performance. 



1. Introduction 

Privacy has been a sensitive issue long before the advent of the Internet. Flowever, the 
Internet creates many new threats to personal privacy and raises some unique privacy 
concerns. Such concerns have been magnified in recent years due to the widespread 
use of world-wide web and the accompanying e-commerce activities. Information 
sent over the Internet may pass through dozens of different computer systems on the 
way to its destination. Each of these systems may be capable of monitoring, 
capturing, and storing online communications. When a user surfs the web, many web 
sites deposit user’s browsing patterns or transaction generated data on the user’s hard 
drive which can be re-used by the web sites when the user returns. Most web 
browsers invisibly provide web sites with information about user’s computer (such as 
IP address, domain name, screen resolution, available plug-ins) as well as with 
information about the locations of other web sites a user has visited. The highly 
connected nature of the Internet makes it easy to automatically collect users’ 
information from many different sources and compile a dossier about an individual - 
his or her likes and dislikes, shopping patterns, where about and so on. Such data is a 
potential valuable source of revenue for many businesses — it is useful to direct 
marketers as a basis for driving targeted lists of users with similar likes; it can also be 
the source of abuses that may cause embarrassment for users who have accessed 
sensitive or controversial materials online. 

Not only net users are concerned about privacy when surf the web, organizations 
are starting to take customers’ on-line privacy seriously to build users’ confidence on 
their business. Over the past year, a number of web sites have been caught in high- 
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profile blow-ups over how they collect and use user data. After online advertising 
company Doubleclick revealed its now-abandoned practice to cross reference data 
about users’ offline purchasing behaviour with their online habits, the company’s 
stock dived. 

The present paper studies the technical aspect for online privacy protection. A 
number of systems and tools have been developed to allow web user anonymity while 
retrieving information on the web. One type of commercial available tools is 
anonymizer, such as Anonymizer from Anonymizer.com [Ano] and Freedom from 
Zero-Knowledge System Inc [ZKSIl]. Anonymizer is a service that submits http 
requests to web sites on behalf of its users. Because the request is submitted by the 
anonymizer agent rather than the user, the only IP address revealed to the web site is 
that of the agent. However, users of this service have to trust the anonymizer to keep 
their IP addresses and their web activities private since they are not anonymous to the 
anonymizer itself 

Onion Routing [RSG98] and Crowds [RR98] are two anonymity systems that do 
not require users to trust a single third party to maintain anonymity. Onion Routing is 
a general-purpose infrastructure for anonymous communication over a public 
network. It operates by dynamically building anonymous connections within a 
network of real-time Chaum Mixes [ChaSl]. A Mix is a store-and-forward device that 
accepts a number of fixed-length messages from numerous sources, performs 
cryptographic transformations on the messages, and then forwards the messages to the 
next destination in a random order. A single Mix makes tracking of a particular 
message either by specific bit-pattern, size, or ordering with respect to other messages 
difficult. By routing through numerous Mixes in the network, determining who is 
talking to whom is even more difficult. Crowds is a system for protecting users’ 
anonymity on the web. It is named for the notion of “blending into a crowd” and 
operates by grouping users into a large and geographically diverse group, i.e., crowd, 
that collectively issues http requests on behalf of its members. In Crowds, web servers 
are unable to trace the source of a request because it is equally likely to have 
originated from any member of the crowd, and even collaborating crowd members 
can not distinguish the originator of a request from a member who is merely 
forwarding the request on behalf of another. 

The above anonymous systems are useful for web surfing in which users have no 
desire or not required to be identified. Therefore, they are mostly useful when users 
visit free web sites and download free digital goods. However, when users wish to 
make online purchases using their credit card numbers or membership accounts, they 
need to provide some identifying or authenticating information. In such situations the 
issue of privacy protection is not user anonymity, but how to hide users’ 
shopping/surfing patterns as much as possible from web servers. This problem is in 
essence orthogonal to the anonymity communications problem. The former is 
concerned with hiding user’s surfing activities from the server but the user is required 
to reveal his/her identification information to the server while the latter is concerned 
with hiding user’s identity but all the user’s surfing activities are under the prey eyes 
of the server. 

In this paper we propose a system architecture and the corresponding protocols 
which protects users’ privacy in web transactions of digital goods. It works in 
conjunction with anonymous systems such as Anonymizer [Ano], Freedom [ZKSH], 
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Crowds and Onion Routing. But it serves a very different purpose. Specifically, we 
introduce a system which allows a user to disclose his/her identity information (such as 
user account or credit card number) to a web site in exchange for a digital item, but 
prohibits the web site from learning which specific item the user intends to obtain. 
Moreover, we require that the system be highly efficient in operations and do not 
impose unacceptable processing burden in online transactions. 

The rest of the paper is organized as follows. In Section 2 we review private 
information retrieval (PIR) schemes in the literature [CGK95, CG97, K097, GIKM98 
and CMS99]. The original research objective of PIR is to allow users to retrieve 
information from a database while keeping their query private from the server. So far 
most of the existing results in PIR are theoretical in nature. We will discuss why they 
can not be applied in our system. In Section 3 we describe the principle and the 
architecture of our solution with an emphasis on practicality and feasibility of its 
implementation. In Section 4 we present our first protocol based on blinding RSA 
decryption along with its performance and security analysis. In Section 5 we show our 
second protocol based on commutative symmetric key ciphers. In Section 6 we 
conclude our paper by discussing some open issues related to privacy protection, such 
as auditing, royalty payment and compatibility with digital content protection 
systems. 

2. Overview of PIR Schemes 

The topic of retrieving information from a database without disclosing what the 
information is has been studied under the terminology of PIR (private information 
retrieval). The PIR problem was first formulated and studied in [CGK95], where the 
solutions assumed multiple databases and aimed at information-theoretical security. 
However, its assumption that multiple databases would not communicate with one 
another is considered not realistic in practical applications. Later in [CG97], [K097], 
[GIKM98] and [CMS99], PIR schemes with single database were proposed. These 
solutions were based on computational complexity assumptions, such as the hardness 
of factoring n = pq. Unfortunately, the computational costs of these solutions are very 
large due to their bit-by-bit processing nature. They require 0(7V) multiplications 
modulo a 1024-bit number for retrieval of just one information bit, where N is the 
total number of bits in the database. 

Most PIR schemes based on computational complexity assumption aim at 
reducing communications cost. The scheme in [CMS99] can achieve a 
communications cost of poly(logA0 while those in [CG97], [K097] and [GIKM98] 
have communications cost of 0{lf) for any e< Mathematically, these schemes are 
very beautiful. But from implementation’s viewpoint, they are completely impractical 
since they all have computation complexity at least of 0{N) to retrieve just 1 
information bit. A practical scheme should process messages file-by-file instead of 
bit-by-bit. 

To give the reader an idea of how PIR schemes work, we present in the following 
a simplified PIR scheme that was originally from [CG97]. 

Scenario: A database has many files with a total of N bits. The N bits are arranged 
into a V/v xV/v square table. Let’s denote the bit on the rth row and yth line by . 
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Retrieval: A client desires to obtain a file that spans from the wth bit to the vth bit. 
He/she retrieves the file 1 bit at a time. To retrieve the bit , the client proceeds as 
follows: 

1 . The client chooses n = pq for primes p and q, gives « to the database and 
keeps p and q secret. Hence only the client can judge whether a given 
number is a quadratic residue or quadratic non-residue mod n. 

2. The client randomly chooses them except 

are quadratic residues mod n. is a quadratic non-residue. The client sends 
all the y j ’s to the database. 

Vv 

3. The database computes z. -Uyr , for; = 1,2,..., d~N 

>=i 

and sends all the z. ’s to the client. 

4. The client checks if z^ is a quadratic residue or not. If yes, d^, is 1, 
otherwise d is 0. 

St 

It is easy to see that the above scheme has a communication complexity of 
O(Viv)- To achieve O(A0 for any s< the database arranges the A bits in a matrix 
with large number of rows and small number of columns, instead of a square matrix. 
Then the same procedure is applied to the matrix. By recursively applying the 
procedure, the communication complexity of 0(A‘) for any £ < 1 can be achieved. 

In the more recent papers such as [K097, GIKM98 and CMS99], database 
security is treated more carefully, e. g., to guarantee the client to retrieve at most one 
bit in each execution of the retrieving procedure. 

3. The System Architecture 

In this section we present our system architecture which protects users’ privacy in 
web transactions of digital goods. Specifically, the proposed system is designed to 
meet the following four major requirements: 

I. It allows a user to disclose his/her identity information (such as a 
user account or credit card number) to a web server in exchange 
for digital item (i. e., digital product) 

II. It prevents the web server from learning which specific item the 
user intends to obtain. 

III. It prevents the user from obtaining more than what he/she deserves 
to obtain. 

IV. It operates efficiently and does not impose unacceptable processing 
overhead in online transactions. 

There are currently a number of industrial initiatives on digital content distribution 
and digital right management. One example is EBX [EBX] for secure e-book 
exchange and the other example is SDMI [SDMI] for secure digital music 
distribution. Both initiatives adopt the “Super distribution” model [MK90], a general 
approach to distributing digital content in which the content is made available freely 
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either online or offline and without restriction but is protected from modifications and 
modes of usage not authorized by its publisher. In Super distribution, a user pays for 
using the content, not for possessing it. Our system architecture, depicted in Figure 1, 
is designed to be compatible with the principle of Super distribution. 




Fig. 1. The system architecture. 



The system involves three generic parties as shown in Figure 1. The content provider 
“wraps” a digital item/product in a secure package as shown in Figure 2. A secure 
package contains the encrypted item by an encryption key using a symmetric key 
cipher, the encrypted encryption key under a master key, and the digital item 
information (such as summary or a preview of the item, terms of usage and provider 
information). Since nobody can access the digital item from a secure package without 
purchasing the encryption key, secure packages can be distributed either online over 
Internet or offline using CD-ROMs or other physical media. The key purchasing 
requires a transaction server that acts on behalf of the content provider. The 
transaction server is responsible for recovering of a digital item’s encryption key upon 
user authentication or payment. 









1 


Item Information 


Encrypted Encryption Key 


Encrypted Item 









Fig. 2. Secure package. 



Specifically, purchasing a digital item is carried out in two steps: 

1. There are two cases to consider: a) for online distribution, a user 
anonymously downloads the secure package of the desired digital item from 
the content provider via an anonymizer proxy; b) for offline distribution, a 
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user gets the physical media containing the secure package of the desired 
item from a physical media such as a CD-ROM. 

2. The user obtains the desired digital item’s encryption key online from the 
transaction server using a key acquisition protocol. 

Without loss of generality and to simplify description, we assume that a user is 
interested in a single digital item at time. The key acquisition protocol must be 
designed to have the following properties: 

i. It allows a user to disclose his/her identity or payment information 
to the transaction server in exchange for the desired encryption key 
a. It prevents the transaction server from learning which specific 
encryption key the user wants. 

Hi. It prevents the user from obtaining more than one key. 

Note that properties i - Hi correspond to the system requirements I — III listed at the 
beginning of this section. 

Since secure packages are either distributed offline or accessed online from the 
content provider through an anonymizer, the content provider can not learn which 
user has downloaded which secure package. Due to the three properties of the key 
acquisition protocol to be designed in the following two sections, it is apparent that 
the system requirements 1 - III are satisfied. The above reasoning is based on the 
realistic assumption that many users are engaged in transactions of many digital items 
so that the content provider and the transaction server can not correlate specific 
instances of secure package downloading and key purchasing. What is achieved with 
this model is actually very similar to the unlinkability property of anonymous digital 
cash [CFN90]. 

It is easy to see that in our model privacy protection can only be achieved for 
digital items of the same price or for business models based on user membership 
subscriptions. For certain e-commerce applications, such as digital libraries and 
electronic journals, the most likely business model is subscription based where a limit 
number of goods are provided to a member in a certain period of time. For the 
situation of digital goods with different prices, we will give it special treatment in the 
next two sections. 

Finally, we would like to emphasize that our privacy protection system requires 
the transaction server be trusted to the extent that it does not deliberately deny users 
from receiving the desired digital items. Nothing can prevent a transaction server 
from denying of service. However, no matter how maliciously a transaction server 
may perform, the server is never able to learn which item/key a user wants to get. We 
believe that these privacy protection features do provide business advantage to the 
merchants. If two merchants sell the same digital goods at the same price while one of 
them provides privacy protection and the other does not, the former is definitely more 
attractive to users. 

The following two sections will focus on the design and analysis of two key 
acquisition protocols. In theory, both PIR and oblivious transfer schemes can be 
adopted in our protocols since they both allow a user to retrieve a message (i. e., 
encryption key in our context) from a server without the server knowing which 
message is retrieved. As has been alluded in the last section, available PIR schemes 
are not efficient due to their bit-oriented processing nature. Moreover, PIR is studied 
on an abstract model where only two parties are assumed to exist and communicate 
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with each other. Our key acquisition protocols to be presented below are based on two 
new oblivious transfer schemes which are computationally efficient and require a 
constant amount of communications between a user and the transaction server 
regardless of the number of encryption keys stored in the server. 

4, Key Acquisition Protocol Based on Blinding RSA Decryption 

4.1 Description of the Protocol 

Setting np RSA parameters: The content provider setting up the system wide RSA 
parameters as follows: 

1 . Pick a 1024-bit RSA module n ^ pq with primes p^2p '-I- 1 and q ^ 2q’+ 

1 where p ’ and q ’ are also primes. 

2. Choose a random 1 20-bit number dp and let dp + 2. 

3. Compute the RSA secret exponent d by the Chinese Remainder 
Algorithm such that d^ dp mod 2p ’ and d^ dq mod 2q 

4. Compute the RSA public exponent e such that ed ^ 1 mod 2p’q’. The 
public key (e, n) is made public and the private key {d, n) is passed 
securely to the transaction server. 

Production of secure packages: Assuming that the content provider has m digital 
items Ml, M 2 , . . ,M„. It constructs a secure package for each item as follows: 

1 . Randomly choose m 1023-bit numbers ri, V 2 , ..., 

2. Generate encryption keys by hashing r„ = MD5(r,) for i =1, 2,..., m. 

3. Encrypt Mi by key Ct = AES(M„ if,) for ; = 1, 2,..., w, where AES 
stands for Advanced Encryption Standard [AES]. 

4. Encrypt r, with the RSA public key, D,=(r,) mod n. 

The secure package for the ith item M, is the triplet <S„ C„ D,> where Bj is the digital 
item information, e. g., a summary of the digital item. All the secure packets are 
distributed freely. 

Assume that a user is interested in the jth item Mj, the user can either anonymously 
download the secure package <Bj, Cj, Dj> from the content server, or obtains it 
offline, from, e. g., a CD-ROM. The user then obtains the item’s encryption key by 
running the following protocol with the transaction server. 

The key acquisition protocol: The protocol is based on blinding RSA decryption of 
Dj. Assuming that a user has authenticated himself/herself or has submitted his/her 
credit card number to the transaction server, the user and the transaction server 
proceed as follows: 

1. The user randomly picks a 1023-bit number R, computes S = R‘' 
mod « and T ^ \/R mod «. and sends U = SDj mod n to the 
transaction server. 

2. The transaction server computes V = l/ mod « and returns V to the 
user. 

3. The user computes Kj = MD5(F7’ mod «) to recover the encryption 
key Kj and then using the key to obtain the digital item Mj = AES" 

\Cj, Kj). 

A block diagram representation of the protocol is given in Figure 3. 
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Fig. 3. Key acquisition protocol based on blinding RSA decr 5 qition. 

4.2 Analysis of the Protocol 

Performance analysis: The most heavy computational burden to the transaction 
server is the decryption operation V = l/ mod n. The encryption operation Di = (rtf 
mod n is also expensive, but it is conducted only once for each digital item M„ while 
decryption operation is performed per transaction. Hence we want to reduce the cost 
ofV^l/ mod « as much as possible. This is the reason behind the way we choose d. 
The decryption operation V = l/ mod « can be conducted through first computing 

t/”''' mod p-\ and U‘^‘‘ mod q-\ and then applying the Chinese Remainder 
Algorithm. Since dp and dq are small 120-bit numbers, the computation is much 
cheaper than an direct 1024-bit RSA decryption. 

Since d is chosen in a special way, the e has negligible probability to be small. The 
most expensive computation for the user is S = R‘^ mod n. But this step can be done in 
advance as a pre-computation, i. e., the selection of R and the computation of S and T 
can be carried out as soon as the user’s machine is power on or during the machine 
idle time. The only task for the user’s machine to do after getting V is computing = 
MD5(F7’ mod n) and Mj= AES"'(C,, Kj). They are very cheap operations. 

Security analysis: The problem of speeding up RSA decryption has been studied in 
cryptography for many years. It has been noticed that choosing small secret exponent 
d could be dangerous [BD99, Wie90]. So far the best way is to choose small dp and 
dq. The meet-in-the-middle attack with FFT technique provides an algorithm of 

complexity 0{^dp (log 2 -yjdp )^) to factorize « [NguOl]. Therefore a 120-bit dp 

can provide a security level higher than which is not much lower than the cost of 
the best factorization of 1024-bit n. AES provides a security level of 2*^* that is higher 
than the factorization of a 1024-bit number and has a better security than DES. 

The transaction server conducts blinding RSA decryption like a decryption oracle. 
Careful attention must be paid here to ensure security. Small or some simply 
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formatted messages may cause security problem under this model [CNS99]. For 
decryption oracle model, there exists a format that guarantees provable security 
[BR94]. In our scheme, we demand that the content provider chooses random 1023- 
bit numbers r\,r 2 , r„, which rules out all the attacks against the oracle model. 

If some Di, Dj, Dj, happen to satisfy Z), = DjDi, mod n, a user can obtain 3 digital 
items by asking the transaction server to decrypt only two keys. However, the 
probability for this to happen is extremely small if Vi, ^ 2 , ..., are 1023-bit random 
numbers. The generalized requirement is that a user should not be able to obtain k+l 
encryption keys by asking the transaction server to decrypt k of Z),’s. One possible 
attack is that the user finds k+\ Di’s such that they are all C-smooth and the number 
of the primes smaller than C is no larger than k. But such a C must be too large to 
make the attack feasible if T>,’s are 1023 -bit random numbers. 

Accommodating products of different prices: In situations where digital goods 
have different prices, we can only achieve privacy protection among the goods with 
the same price. In order to prevent users from obtaining a higher priced digital item 
but paying at a lower price, the content provider must have different RSA public keys 
for goods of different prices. Suppose there are 5 categories of digital goods with 5 
different prices, the content provider needs to generate 5 different RSA public keys 
(«i, Cl), (« 2 , 62 ), (« 3 , 63 ), (« 4 , 64 ), (« 5 , 65 ) to produce secure packages for the 5 
categories of goods, respectively, and attach («,, e,) to the secure packets for goods in 
the ith category. 

5. Key Acquisition Protocol Based on Commutative Symmetric 
Key Ciphers 

The following simple oblivious transfer protocol uses a commutative symmetric key 
cipher was presented in [Sal90, p.200]. 

Alice has k secrets ^i, S 2 , st- Bob wants to get Si without Alice knowing what i is. 

1 . Bob gives Alice k random numbers y\,y 2 , ■■■, yt- 

2. Alice returns Bob z, = E^((s'yXOR>’y), j = 1,2,..., k, where is the 
encryption by Alice’s secret key with a commutative symmetric key 
chiper. 

3. Bob sends x = E 5 (z,) to Alice, where E^ is the encryption by Bob’s 
secret key. 

4. Alice returns Bob D^(x), is the decryption by Alice’s secret key. 

5. Bob computes s, = Dfl(D^(x))XOR>’„ Dg is the decryption by Bob’s 
secret key. 

However, it was not mentioned in [Sal90] what commutative symmetric key cipher 
exists. Actually, all the symmetric key ciphers available so far are not commutative 
except for stream ciphers. Stream ciphers cannot be applied here. When using stream 
ciphers to encrypt a message, either a random number is required to generate a 
different key stream or the section of the key stream being used must be specified. 
That information must be made available in the decryption process, that discloses 
which message Bob obtains. 

In the following protocol, we adopt the exponentiation modulo a prime as our 
commutative symmetric key cipher. This is the improved version of [BDFOO]. 
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5.1 Description of the Protocol 

Setting np pnblic parameters: The content provider sets up the system wide public 
parameter p^2p '+1 where both p and p ’ are primes and ^|=1024. 

Production of secure packages: Assuming that the content provider has m digital 
items Ml, M 2 , . . ,M„. It constructs a secure package for each item as follows: 

1. Randomly choose m 1023-bit numbers ri, ^ 2 , 

2. Generate encryption keys by hashing r„ if, = MD5(r,) for / = 1 , 2, . . . , w. 

3 . Encrypt M,- by key if,, C, = AES(M,-, if,) for ; = 1 ,2, . . . , m. 

4. Randomly pick a 160-bit odd number d and computes e ^\/d mod 2p ’ 

5. Encrypt r, with e, Di={rj) ^ mod p. 

The secure package for the ith item M, is denoted as <fi„ C„ D,> where is the item 
information, i. e., a summary of the item. All the secure packets are distributed freely 
either online or offline. 

The key acquisition protocol: Assuming that a user is in possession of <fi„ C„ D,> 
and wants to get the corresponding encryption key. After the user has authenticated 
himself/herself or has submitted his/her credit card number to the transaction server, 
the user and the transaction server engage in the following protocol: 

1. The user picks a random 160-bit odd number R, computes S = HR mod 2p’ 
and sends U = (Dj)^ mod p to the transaction server. 

2. The transaction server computes V = l/ mod p and returns V to the user. 

3. The user recovers the key as Kj = MD5(F^ mod p) and obtains the jth item 
from/f/, = AES-'(Cy, Kj). 



5.2 Analysis of the Scheme 

Performance analysis: The encryption operation T>, = (r,)'" mod p is conducted by 
the content server only once for each digital item Mi. The transaction server conducts 
the decryption operation V = l/ mod p once per transaction. Hence we want to reduce 
the cost the decryption operation as much as possible. This is the reason why we 
choose J as a 160-bit number. A 160-bit discrete logarithm is safe against all current 
algorithms for computing discrete logarithm. 

Both the computations of C/ = {Dj)^ mod p and mod p are expensive. We can 
choose either S ox R small. We pick small R because U = {Dj)^ mod p can be 
computed offline or during the machine idle time. 

Security analysis: This protocol achieves information-theoretical security for users 
since the transaction server has no way to figure out what Dj is from U. 

The protocol is fair to the transaction server since no user can get k+\ keys through k 
decryptions. A brute force attack is to find d but it is equivalent to computing discrete 
logarithm. The other method is to find k +\ r,’s by asking the transaction server to 
decrypt k A’s. Again, this is infeasible since r\, V 2 , ...,r„ are 1023-bit random 
numbers. 
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6. Conclusion and Further Issues 

In this paper we have proposed a system architecture for user privacy protection in 
transactions of digital goods. We also presented two protocols that are secure and 
highly efficient. Although our system makes use of anonymizers for online 
distribution of digital goods, they are not absolutely necessary. Some other means can 
achieve certain degree of user anonymity. For example, using a free proxy can protect 
user’s IP address, domain name and the owner name of the user’s host server. By 
disabling cookies in user’s browser, a web site will not be able to correlate the user 
previous connections to the site. 

It is commonly recognized that one of the most important issues for e-commerce 
of digital goods is content protection and management. This is an on-going effort in a 
number of industrial initiatives. So far it is still not clear what copyright protection 
technology will finally be adopted by the industries. There have been extensive 
research efforts for copyright protection, such as watermarking, fingerprint, tamper- 
resistant hardware and tamper-resistant software. Although not explicitly stated, 
tamper-resistant hardware or software are gaining momentum. This is evident from 
EBX and SDMI technical specifications. In the technical specification of EBX v8.0 
[EBX], it is required that all the e-books must be encrypted for any form of 
distribution and be decrypted within e-book readers, which should be a sort of 
tamper-resistant system. The proposed system in this paper is in general compatible 
with EBX and SDMI frameworks. However, additional efforts are required to study 
detailed integration issues with specific content distribution and protection systems. 
For example, in EBX v8.0, voucher management plays an important role. Therefore it 
is necessary to study how to seamlessly integrate our system with EBX’s voucher 
management system. 

Another issue is auditing. It is necessary for a transaction server to know the sales 
figures, such as the number of copies sold for a digital product. Statistic numbers can 
be gathered from the number of free downloads at the content provider. But such 
numbers can not precisely reflect the number of sold copies of each digital product, 
while in practice the numbers are important for royalty payment. 

The requirements of privacy protection and collection of royalty statistics look 
contradictory to each other. This is a subject worth further study. One possible 
solution is to introduce a trusted party, who provides cryptographic parameters to the 
content provider for the purpose of digital goods encryption. The parameters many 
contain some secrets that only the trusted party knows. As a result, the transaction 
server/content provider cannot learn which product a user obtained, but the trusted 
party can. Periodically, the transaction server hands all the transaction messages to the 
trusted party, who then computes how many copies of each product have been sold. 

Finally, we world like to point out that an efficient (e. g., without using large 
number computations) symmetric key cipher with commutative property would 
greatly increase the efficiency of our second protocol. It may be a challenge to design 
such a cipher. 
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Abstract. This paper discusses the characterizations of multi-output 
correlation-immune functions. We first give a decomposition formula of 
the probability distribution of binary random vectors by using Walsh 
transform. Then the equivalence of the two different definitions of multi- 
output correlation-immune functions is proved. Furthermore, we con- 
struct a class of keystream generators which can resist the linear and 
correlation attacks. 



1 Introduction 

If for any vector X = (xi, X2, • • • , in F2, there is a unique vector Y = 
(2/I: J/2, • • • ) ?/m) corresponding to it, then the correspondence is called a (n, m) 
logic function, denoted by Y = F(xi, X2, • • • , x„), where n and m are called 
the dimensions of input and output respectively. If m = 1, is called a single- 
output logic function or simply a logic function. If m > 1, is called a multi- 
output logic fuuctiou. Let be a t-dimensional vector space on F 2 . For any 
{xi,X2,‘ ■ ■ ,xt) G F2, since there is a one-to-one mapping between the vector 

{xi,X2, ■ ■ ■ ,xt) and its decimal value Xi2‘“^-|-X22*“^-| hxt 2 °, for the purpose 

of convenience, we usually use the corresponding decimal value to represent the 
vector. 

Various and extensive applications of multi-output logic functions have been 
found in the practice of cryptography. For example, in the multi-bit output 
keystream generator in stream ciphers, the output of every step can be thought as 
the multi-output logic function value with its corresponding state as independent 
variables. In block ciphers using 0,1 bits as blocks, the correspondence between 
plaintext blocks and the corresponding ciphertext blocks can also be seen as 
multi-output logic functions. The correlation-immunity of logic function is one of 
the most important factors when measuring the security of a cryptosystem. Note 
that the order of correlation-immunity correlates closely with the computational 
complexity of correlation attacks. So if a logic function with weak correlation- 
immunity is used in a cryptosystem, the system will be vulnerable to correla- 
tion attacks. There have been extensive and deep discussions on correlation- 
immunity of single-output logic functions. In comparison, few deeply discussions 
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on correlation-immunity of multi-output logic functions have been published. 
The concept of multi-output correlation-immune logic functions, which is intro- 
duced in [1] [2] and is named the multi-output correlation-immune logic function 
of type I in [3], is a direct extension of the single-output logic function. Also in 
[3] another concept, named the multi-output correlation-immune logic function 
of type II, has been put up. It has established a direct connection between the 
correlation-immunity of multi-output logic functions and that of vector func- 
tions. Furthermore, it has been proved that multi-output correlation-immune 
logic functions of type I form a subset of multi-output correlation-immune logic 
functions of type II. 

In this paper, we will discuss these two characterizations of the correlation- 
immunity of multi-output logic functions more deeply. Based on the decompo- 
sition formula of the probability distribution of binary random vectors which 
is obtained by using Walsh transform, the equivalence of the two characteriza- 
tions is proved. Thus a direct connection between the correlation-immunity of 
multi-output logic functions and that of single-output logic functions can be es- 
tablished. In section 4, using multi-output logic functions, we construct a class 
of keystream generators which can withstand correlation attacks and best affine 
approximation (BAA) attacks. 

2 Two Definitions of Multi-outpnt Logic Functions 

Firstly, we introduce the definition of single-output correlation-immune logic 
functions. 

Definition 1 . [1] Let f he a logic function on F^, X = (xi,X2, - ■ ■ ,Xn) are 

n independent and uniformly distributed random variables. If for any T = 

) J2 ; * * * 7 

jt} C {l,2,---,n} satisfying |T| = t and any c G F2, random variables 
y = f{xi,X2,‘ ‘ ‘ and {xj^,Xj^,---,Xj^) are independent mutually, that is, 
for any (oi, 02 , ■ ■ ■ ,at) & F^ and any c G F2,the following equation holds: 
Prob{y = c|xj^ = a^, 1 < z < t} = Prob{y = c} 

Then f is called a (n, 1, t) correlation-immune function or tth-order correlation- 
immune function on Ff . 

Lemma 1 . [1] (Xiao-Messay) A logic function /(X),X G F 2 zs a tth-order 

correlation-immune function {1 <t < n) For any oj G iff with its hamming 
weight W{uj) satisfying 1 < W{uj) < t , Pro 6 {/(X) = to ■ X} = 0.5 holds. 

Next, we introduce the definition of multi-output correlation-immune functions 
of type I. 

Definition 2 . [1] Let F be a function from Ff to F™, xi,X2, • • • , are n inde- 
pendent and uniformly distributed random variables. If for any T = {ji,j2, ■ ■ ■ , 
jt} Q {l, 2 ,---,zz} satisfying |F| = t and any c G Ff, random variables 
y = F{xi,X2, - ■ ■ ,Xn)and • • • , are independent mutually, that is, 

for any (oi, 02, ■ ■ ■ , at) € F2 and any c G F2,the following equation holds: 
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Prob{y = c|xj. = Ui,l < i < t} = Prob{y = c} 

Then / is called a {n,m,t) correlation-immune multi-output logic function of 
type I . 

Finally, we give the definition of multi-output correlation immune function of 
type II which is put forward in [3]. 

Definition 3. [3] Let F = (/i, / 2 , • ‘ ’ j /m) « function from Flf to F™. If 

all non- zero linear combinations of its component functions, written as /(X) = 

m 

© CififX.), are (n, I,t) correlation-immune functions, then F is called a (n,m,t) 

i—1 

multi-output correlation-immune function, where X G ci, C 2 , • • • , Cm G F 2 , 
and {ci,C 2 ,- ■ ■ ,Cjn) yf (0, 0, • • • , 0). 



3 Equivalence Theorem 

A real-valued function with binary variables g is referred to as the following 
correspondence: For any X G F 2 , there is a unique g(X) G R corresponding to 
it , denoted by g : —1 R , where n is the number of independent variables of g, 

and R is the set of real numbers. Using Walsh function system, any real- valued 
function with binary variables ^(X) can be expanded as : 

g{X) = 2-J2 S,{iv){-ir^£ ( 1 ) 

where 

^ 5(X)(-1)-^ (2) 

xgf," 

(2) is called Walsh transformation. The corresponding set {S'g(w) : w G Flf} is 
called Walsh spectrum . 

Using Walsh transformation and Walsh spectrum , we can get the following 
theorem easily. 

Lemma 2. (Lemma of Decomposition) Let ^ be a random 

vector with dimension m, a G F™, then 

1 1 

Prob{i = a} = ^ Prob{iw • ^ = w • a} + - 1 (3) 

LJ—1 

Proof. The probability distribution of ^ = (^i, ^ 2 , • ’ ‘ j Cm) denoted by Fro6{C = 
X} is a real-valued function with binary variables, written as g(X) = Fro6{C = 
X}, whose Walsh transformation is : 

5gM= ^ (-l)-^Fro6{C = X} 
xgf," 
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Clearly, in the sense of probability, Sg (w) means: 

Sg{uj) = Prob{oj • C = 0} ~ Prob{oj • ^ = 1} 
= 2Prob{uj • ^ = 0} - 1 

From (1), we have 



Prob{^ = a} = ^ X) 

CJ— 0 

= (-l)“'"(2Pro6{o. . e = 0} - 1) 

u;=0 

2 m_i 2^-1 

= 2^ E {-ir-’^Prob{iv ■ ^ = 0} - ^ E (-ir" 

uj —0 (jl >—0 



when a = 0, 



Prob{^ = 0} = 2 ^Et E Prob{uj • ^ = 0} - 1 

o;=0 

2^-1 

= 2 ^Et E Prob{co • ^ = 0} + jaE: - 1 

LJ — 1 



2^-1 

when a 0, since E (—1)“ '^ = 0 and 

u;=0 



(— l)“ ®Pro6{w • C = 0} = Prob{L 0 ■ ^ = w • a} — w • a 

where u ■ a,as real value 0,1, takes part in the operations in the right-hand side 
of the equation, we have 



2<n_i 

Prob{^ = a} = 2 tEt E {Prob{uj • ^ = w • a} - w • a) 

u;=0 

2^-1 2^-1 

= 2 ?^ E Prob{u • ^ = w • a} - E ^ ^ 

cj— 0 cj— 0 

= 2 ^ 5 ^ E Prob{uj • ^ = w • a} - 1 

o;=0 

2 m_i 

= 2 ^Et E Prob{(jj • ^ = w • a} -I- - 1 

U) — l 



Therefore, for any a € F™, Lemma 2 holds. □ 



Lemma 3. Let ij = (?7i, 772 , • ‘ ‘ > ’It) and be random vectors 

on F 2 with dimension t and m respectively. Then rj and ^ = (^ 1 ,^ 2 , • • • Em) are 
independent mutually rj and every non-zero linear combination of ^ 1 ,^ 2 ,' , 

m 

frn, denoted by © cEi are independent, where Ci, C 2 , • • • , G F 2 and (ci, C 2 , • • • , 

Cm) 7^ (0,0, • • • ,0). 
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Proof. For any ci,C2, - ■ ■ ,Cm & F2, (ci, C2, • • • , Cm) ( 0 , 0 , • • • , 0 ) and any 
c G F2,we write 



m 

Tc(ci,C 2,--- ,Cm) = {I 3\(3 = 03 i,P 2 ,--- ,Pm) G , © QA = c} 

i—1 

From the conditions, we have 

m 

Prob{ © Ci^i = c|?7 = b} = ^ Proh{^ = (}\r] = b} 

/3GTc(ci,C2,-",Cm) 

= x; Pro&{^ = / 3 } 

/3GTc(ci,C2,-",Cm) 

m 

= Prob{ © Ci^i = c} 

2 = 1 

where b = (&i, &2, • ’ ‘ > ^t) G 

“«^=” By the condition Prob{uj • ^ = w • a\rj = b} = Prob{u • ^ = w • a} and 
Lemma 2 , we can have 

Pro6{^ = a|?7 = b} = I] Prob{co ■ ^ = u; ■ a\r] = h} + - 1 

UJ—1 

2^-1 

= Z) Prob{u} • ^ = w • a} + - 1 

LJ—1 

= Prob{^ = a} 



Therefore, 77 and ^ are independent. □ 

Theorem 1 . (Equivalence Theorem) Let F = (fi, f2, ■ ■ ■ , fm) be a function 
from Fif to F™. Suppose that Xi,X2, - ■ ■ , Xnare n independent and uniformly dis- 
tributed random variables. Then F is a {n,m,t) multi- output correlation-immune 
function of type II if and only ifF is a {n,m,f) multi-output correlation-immune 
function of type I. 

Proof. By Lemma 3 , Definition 2 and Definition 3 , F is a (n, to, t)multi-output 
correlation immune function of type I For any {ji, j’2, ■ ■ ■ , jt} ^ ■ ■ ■ ,n}, 

random variable y, written as y = F{x\,X2, - ■ ■ ,Xn) = {yi,y2, ■ ■ ■ ,ym), and 
(a;jj,a;j2, • • • ,Xj^) are independent For any {ji,j2, ■ ■ ■ ,jt} © { 1 , 2 , ■ ■ ■ ,n} and 
any(ci,C2,---,Cm) G F2™ with (ci, C2, • • • , Cm) yf { 0 , 0 ,- ■ ■ , 0 ),{xj^,Xj^,- ■ ■ ,XjJ 

m m 

and ® Ciyi = © Ci/i(a:i, X2, • • • , a^n) are independent <ty> Every nonzero linear 
2=1 2=1 

m 

combination of component functions of F denoted by © Ci/i(X) is a (n, l,t) 

2=1 

correlation-immune function (where X G F^) F = (/i, /2, • • • , /m) is a 
(n, TO, t)multi-output correlation-immune function of type II. □ 

From the equivalence theorem and the lemma of Xiao-Messay, we can draw 
the following conclusion: in cryptoanalysis, when investigating the correlation 
properties of multi-output logic functions, we should consider if there exist cor- 
relations between the input and all linear combinations of the output component 
functions, not considering the correlation properties for some single component 
function merely. 
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4 Applications in Designing Keystream Generators 

In stream ciphers, the following type of keystream generators (see Fig. 1.) is of- 
ten used, which is called the nonlinear combination generator, where the output 
of / function is used as keystream. The initial states of this kind of genera- 




keystream 



Fig. 1. A nonlinear combination generator. / is a nonlinear combining functinon. 



tors are predetermined by the key. If this kind of generator is used to generate 
keystreams, not only is it easy to implement in engineering, owing to its simple 
structure, but also the linear complexity of the output sequence is easy to esti- 
mate. So, as keystream generators, nonlinear combination generators are quite 
desirable. Though this type of keystream generators has these advantages, in 
practical use, we still should choose the logic function / with great carefulness 
and cautiousness. Otherwise, It’ll be easy to restore the key (initial states of 
the FSRs) through BAA attacks. However, from the spectrum theory of logic 
function, no matter what kind of logic function / is, there always exists a corre- 
lation between certain linear combination of the input sequences and the output 
keystream, i.e. 

n 

Prob{f{xi,X 2 , • • • , x„) = © CiXi} > 0.5 (or < 0.5) 

i—1 

Hence, we can only choose the logic function / as carefully as possible so as to 
distribute the correlation to different linear combinations of the input variables, 
but can’t eliminate it at all. 

This unfortunate situation will be changed by the applications of multi- 
output correlation-immune logic functions in nonlinear combination keystream 
generators, which can make it difficult to get the initial states of FSRs in the 
generator through exploring the output keystream. To illustrate this, we con- 
struct one type of keystream generators using multi-output correlation-immune 
logic functions(see the Fig. 2.). 

In the Fig. 2, F(X) = (fij 2 ,---jnjn+i,---jn+t) is a (n + t,n + t,n) 
balanced multi-output correlation-immune logic function, /i, / 2 , • • • , /n are out- 
put of the generator, and they are used directly as the keystream. The one-step 
delay of fn+i, fn+ 2 , ■ ■ ■ , fn+t are t input variables of J^(X). The rest n input 
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fi 

f: 

fn 



Fig. 2. A nonlinear combination generator using a multi-output correlation-immune 
logic function F. 



variables of F(X) are supplied by the output of FSRs of the same step. From 
the equivalence theory in section 3, we can see that any linear combination of the 

n 

generator’s output /i, / 2 , * * * ^ /n, denoted by 0 and any linear combination 

2 = 1 

n 

of the FSRs’ output xi,X 2 , - ■ ■ ,Xm denoted by © CiXi satisfy: 

i=l 



Prob{ © Cifi = © CiXi} = 0.5 
2 = 1 2 = 1 

that is, the output fi, f 2 , ■ ■ ■ , fn and xi,X 2 , ■ ■ ■ ,x„ are statistically independent. 
Thus the generator is immune to correlation attacks and linear approximation 
attacks. Certainly, when this kind of keystream generators is used, the following 
requirements are important to notice: Firstly, the length of every FSR should 
be large enough to preclude exhaustive attack; Secondly, the selection of F(X) 
should make every component function in the output have rather high nonlinear- 
ity,and for the third, the output keystream should have large linear complexity. 

We won’t discuss the constructions of balanced multi-output correlation- 
immune logic functions here. The reader who is interested it can read [3] for 
details. 
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Abstract. Undeniable signature has been extensively researched after 
Chaum and Antwerpen first proposed the concept of this special dig- 
ital signature ten years ago. Up to now, however, almost all the ex- 
isted schemes are based on discrete logarithm cryptosystems. In this pa- 
per, based on an improvement of the practical threshold RSA signature 
scheme proposed by Shoup at Eurocrypt’2000 and the first undeniable 
RSA signature scheme proposed by Gennaro, Krawczyk and Rabin at 
Crypto’97, we present the first, as we know, threshold undeniable RSA 
signature scheme. Our scheme is secure and robust since all the par- 
tial signatures are verifiable by adopting a discrete logarithm equality 
protocol proposed by Shoup. 



1 Introduction 

Undeniable signature is a special kind of digital signature with the characteristic 
that signature cannot be verified without the cooperation of the signer and can- 
not be denied by the signer if he has signed the signature indeed, (t, n) threshold 
signature is one kind of group-oriented signature, in which only the subsets with 
at least t members in a group U can generate a valid signature and any verifier 
can simply verify an alleged signature if he/she knows C/’s group public key. How- 
ever, in a (t, n) threshold undeniable signature scheme, any subset of t members 
out of n, denoted hy Ub, can represent the group U to generate a signature, but 
without the cooperation of t members, a verifier cannot verify the validity of an 
alleged signature even if he knows C/’s group public key. At the same time, any 
subset of less than t members cannot generate, confirm or disavow a signature 
even if they cooperate maliciously. Generally speaking, a threshold undeniable 
signature scheme consists of the following three main sub-protocols. 

(1) Signing Protocol : t members in subset Ub run this protocol to pro- 

duce a valid signature for any message, but any attacker I cannot forge a valid 
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signature of group U with non-negligent possibility unless I has corrupted at 
least t members or [7’s private signing key has been compromised to / (i.e., 
nonforgeability) . 

(2) Confirmation Protocol: By running this protocol between prover 

Ub, t members of U, and verifier V, V is convinced that an alleged signature 
is indeed signed by U. Confirmation protocol should satisfy the following three 
properties. 

— Completeness: A signature signed by group U will always be accepted by V 
if all the members in Ub and V are honest (this means that they properly 
act as the protocol described). 

— Soundness: Even a cheating prover Ub cannot convince the verifier V to 
accept an non-valid signature of U with non-negligent possibility. 

— Zero-knowledge: On input a message and its valid signature, any possible 
cheating verifier V interacting with a subset Ub does not learn any informa- 
tion aside from the validity of the signature. 

(3) Denial Protocol: By running this protocol, prover {7^ ensures a ver- 

ifier V that a signature is not signed by group U. Denial protocol also should 
satisfy the similar three properties as follows. 

— Completeness: A signature not signed by U will always pass through the 
denial protocol such that V believes that it is not C/’s signature if all the 
members in Ub and V are honest. 

— Soundness: Even a cheating prover U b cannot successfully deny a valid sig- 
nature of U with non-negligent possibility by running denial protocol. 

— Zero-knowledge: On input a message and a non-valid signature, any possible 
cheating verifier V interacting with a subset Ub does not learn any infor- 
mation aside from the the fact that this non-valid signature is in fact not a 
valid signature of group U . 

Besides nonforgeability, a threshold undeniable signature should also be ro- 
bust, meaning that corrupted members should not be able to prevent uncorrupted 
members from generating signatures. 

After Chaum and Antwerpen first proposed the conception of undeniable 
signature in [6], extensive researches are done to this special kind signature. 
Chaum [2] presented a zero-knowledge undeniable signature scheme with promis- 
ing applications in copyright protection of electronic products. By combining the 
undeniable signature and group-oriented signature [7, 8], Harn and Yang [13] 
proposed the conception of {t, n) threshold undeniable signature, and presented 
two concrete schemes in respect of t = 1 and t = n. But Langford [14] pointed 
out that their (n, n) threshold undeniable signature scheme only possesses a se- 
curity of 2-out-of-n, because any two adjacent members can generate a valid 
threshold signature. Lin etc. presented a general threshold undeniable signature 
scheme [16], but which is also subjected to Langford’s attack [14]. [15] generalized 
Chaum’s zero-knowledge undeniable signature [2] to a ft, n) threshold undeni- 
able signature scheme with a dealer. However, unlike all the above schemes based 
on discrete logarithm cryptosystems, Gennaro, Krawczyk and Rabin presented 
the first undeniable RSA signature scheme [12]. 
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In this paper, we will construct the first, as we know, threshold undeniable 
RSA signature scheme with a dealer. Our Scheme are builded from an improve- 
ment to Shoup’s threshold signature scheme [20] and Gennaro etc.’s undeniable 
RSA signature scheme [12]. Our schemes are secure and robust because all the 
partial signatures are verifiable by adopting a discrete logarithm equality proto- 
col proposed by Shoup [20] . 

The organization of this paper is as follows. Notations are described in §2. 
Shoup’s discrete logarithm equality protocol [20] and Gennaro etc.’s undeniable 
RSA signature scheme are reviewed in § 3 and § 4 respectively. Then, we propose 
an improvement to Shoup’s threshold RSA signature and a newly threshold un- 
deniable RSA signature scheme in § 5 and § 6 respectively. The last two sections 
are about some discussions and future work. 



2 Notations 

Our systems consist of a dealer D and a group U with n members Ui(i = 
1,2, Let t be the threshold value and B denote a subset of size t in 

the index set {1,2, • • • ,n}. The notation x Gr X means that an element x is 
selected randomly and uniformly from set X. In this paper, the RSA modulus 
N is selected as the product of two large secure primes p and q, i.e. there exist 
two primes p' , q' such that p = 2p' + 1, q = 2p' + I and N = pq. Let M = p'q', 
and L{N) denote the bit-length of N. 

We denote by Qw the subgroup of squares in Z’^. For any integer x, let 
J (x|N) denote the Jacobi symbol symbol of x respect to the base N. In addition, 
we denote by Jat the subgroup of elements x G with J{x\N) = 1. Then we 
know that Qn C Jn C Z^f. Moreover, Qat is cyclic of order M and Jat is cyclic 
of order 2M. 

3 Discrete Logarithm Equality Protocol 

As a key of modern cryptography, knowledge proving plays an important role in 
constructing varied protocols and schemes. Among of them, the most extensively 
used knowledge proving protocols are based on discrete logarithm cryptosys- 
tems [3] . In this section, we briefly review a discrete logarithm equality protocol 
proposed by Shoup [20], which is an improvement to a well-known interactive 
protocol, due to Ghaum and Pedersen [5]. 

Let gi, g 2 are two generators of the subgroup Qn of Z’^. Qat’s order 
is not known. The prover P possesses a secret number a G Zm such that 
logg_^hi = logg^/i 2 = ex, i.e. hi = and ft -2 = 52 “- By running the follow- 
ing protocol between the prover P and the verifier V, P convinces V that he 
indeed possesses the secret a but does not reveals which is it to V. Let ff he a 
hash function, whose output is an h-bit interger, where h is a second security 
parameter (li = 128, say). For convenience, we will simply denote this protocol 
as DLE(5i,/ii;g2,^2;a). 



DLE{gi,hi;g2,h2]a) Protocol 
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(1) P randomly selects w [0, • • • , — 1], computes oi = 

g™ mod N,Q 2 = 5™ mod N,c = //(gi||(/ 2 ||^i||ft- 2 ||ai||a 2 ) and r = ac + w. 

Then, P publishes Proof p = (r, c) as the proof of knowing the secret a. 

(2) From the proof (r, c), V first computes oi = mod N and 02 = 

mod N, then determines whether P knows the secret a by check- 
ing 

c = i?(5i||ff2||/ii||/i2||ai||a2). 



4 Gennaro etc.’s Undeniable RSA Signature 



In this section, we briefly review the first undeniable RSA signature scheme 
constructed by Gennaro etc. [12]. In their scheme, the signer publishes the RSA 
modulus and a sample signature but keeps the usual key pair secretly. The 
confirmation and denial of a signature are to check whether certain relations 
between the signature and the sample signature hold. 

Stage 1: Setting System Parameters 

If user P want to use this system, he first chooses two large secure primes 
p = 2p' + 1 and q = 2q' + 1 and let the RSA modulus as N = pq. Then he 
chooses the key pair e, d G [1, p{N) — 1] such that ed= 1 mod p{N). In addition, 
P selects an element w £ of order at least p'q' as the sample message and 
computes the sample signature = w‘^ mod N. At last, P publishes his public 
key information (N, w, Sw) but keeps his private key information (e, d) secretly. 
Where, d is used to generate signature and e to verify signature. Furthermore, 
P chooses a secure parameter I (usually it can be set as 1024). 

Stage 2: Generation of Undeniable Signature 

As in regular RSA signature scheme, if user P want to sign a message m, he 
computes Sm = iri‘^ mod N and publishes (m, Sm) as his signature on message 
m. 

Stage 3: Confirmation Protocol 

A verifier V can not alone verify whether an alleged signature (m, Sm) is signed 
by P, because V does not know P’s verification key e (in fact, P does not publish 
this information at all) . But V and P can run the following confirmation protocol 
to convince V that (m, Sm) is P’s signature on message m. 

(3-1) V randomly selects two numbers ci, C 2 £r [1, A^j, computes the value C = 
S'flS!)f mod N and sends it to P. 

(3-2) After received C, P computes and sends the value R= mod N to V . 
(3-3) After received R, V check whether R = mod N holds. If yes, then 

V accepts Sm as P’s signature on message. Otherwise, V and P has to 
run the denial protocol to determine whether Sm is indeed not signed by 
P. 
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Stage 4: Denial Protocol 

V and P can run the following denial protocol to convince V that Sm is not P’s 
signature on message m. 

(4-1) V randomly selects two numbers ci [1,1] and C 2 [1,-/V], sends Ci = 
j^ci^c 2 ^ mod TV to P. 

(4-2) After received (C'i,C 2 ), P searches all possible values in [1,T] to find a 
number r such that = C\jCY mod N . If such r was found, 

then P sends it V. 

(4-3) V checks whether r = ci. If yes, V convinces that Sm is not signed by P. 
Otherwise, V believes that P is trying to deny his own signature. 

[12] proved two theorems about the completeness, soundness and zero- knowl- 
edge of above confirmation protocol and denial protocol. Gennaro etc.’s theorems 
show that their scheme is secure. In practice, secure parameter I can be selected 
as a small number, but P and V can run denial protocol several times to guar- 
antee security without loss efficiency. For example, let I = 1024 and running 
the denial protocol for ten times, then 1/2^°° security level can be reached. In 
other words, the probability of occurring the following event is less than one in 
a million: V believes that Sm is not signed by P, but in fact Sm is P’s signature 
on message m. 

5 Improved Threshold RSA Signature Scheme 

In this section, we present an improved threshold RSA signature to Shoup’s 
scheme [20], which has the same security level and is more efficient compared to 
Shoup’s scheme. Furthermore, it seems intractable to directly generalize Shoup’s 
scheme to undeniable environments, but our scheme can be generalized as a 
threshold undeniable signature if the methods used in [12] are adopted. In the 
essence, we simplify the signing equation of Shoup’s scheme. Now, we first de- 
scribe our improved threshold signature scheme, then compare the security and 
efficiency between our scheme and Shoup’s. 



5.1 Description of Threshold RSA Signature Scheme 

The dealer D chooses a RSA modulus N as the product of two large secure primes 
described in section 2. The dealer D also chooses the RSA public exponent e as 
a prime such that n < e < mm{p' ,q'}, and the secret exponent d G is the 
integer which satisfies de = 1 mod M. 

Stage 1. Distribution of Secrets 

(1-1) The dealer D randomly selects a polynomial f{x) with order less than 
(t — 1). Let f{x) = X)j=o € Zm[x], where ag = d and aj Gr Zm (j = 
l,2,-..,t-l). 

(1-2) Dealer D computes di as follows and sends di to member Ui secretly: 
di = mod M, 



( 1 ) 
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For any index subset B with t elements, it is easy to see that these di satisfy 
the following equation according to the Lagrange interpolation formula: 



d = di ■ Xsi mod M, where Xsi = : G Z. 



jeB\{i} ' 



(1-3) Dealer D randomly selects a generator v oi Qm and computes: 
Vi = mod N € Q N , i=l,2,---,n. 



In addition, D chooses an element u G such that the Jacobi symbol of 
u is —1, i.e. J{u\N) = —1. 

(1-4) D publishes or broadcasts N, e, n, u, v and all Vi {i = 1,2, - ■ ■ , n). 



Stage 2. Generation and Verification of Partial Signatures 

If member C/j want to sign an original message mg, then Ui first computes the 
digest m as 

f/J(mo), if J{H{mo)\N) = 1 

\H{mo)u, a J{H{mo)\N) = -1 ■ 

This forces that J'{m\N) = 1. Now, Ui computes his partial signature as follows: 

Si = mod N. (4) 

Last, Ui runs the DLE(t:, rij; 5^; di) protocol (where is computed under 
mod N) for constructing the proof Proofui show the validity of partial sig- 
nature Si by revealing that log^ Vi = log ^2 Si (= di). Ui publishes or broadcasts 
{i, m, Si, Proofui) his partial signature message. 

Stage 3. Generation and Verification of Threshold Signature 

If there is at least t honest members (i.e., they generated valid partial signatures), 
then by choosing any t honest members Ui {i € B and |i?| = t), each member 
can compute the threshold RSA signature S as follows: 

S' = n ™od N (= mod N); (5) 

i^B 

A verifier can check the validity of a threshold signature (toq, S) by the following 
equality 

S® = mod N. (6) 

Of course, the m in above equality has been processed by the equation (3). 

We have accomplished the description of our improvement to Shoup’s scheme. 
The essential improvement is that Shoup’s signing equation, displayed by the 
following equation (7), is modified as equation (5) in our scheme. 

S = S“to'’ mod N = mod N. (7) 

Where, a, b are two public integers such that 4a -I- e6 = 1 since gcd(4, e) = 1, 
and S is determined by equation (5). 
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5.2 Discussions of Threshold RSA Signature Scheme 

Now, we will briefly discuss the validity, security and efficiency of our scheme. 

Theorem 1. (Validity of the Scheme) If at least t honest members pro- 
duced valid partial signatures and correct proofs, then the threshold signature 
determined by equation (5) satisfies the signature verification equation (6). 

Proof. According to (2), for index subset B C {l,2,---,n} with t elements we 
know that there exists an integer k such that = d-\-kM. Therefore, 

from equation (5) and (4), we have 

S = n,gs mod N = ^ 

= 7jj,4d+4fcM pp — .yyiid-\-k<t>{N) jy _ ^4d pq _ 

On the other hand, ed = 1 mod M, so there exists an integer k such that 
ed = 1 + kM. Hence, 

S'® = mod N = mod N = mod N. (9) 

So, the signature S on message m satisfies the verification equation (6). □ 



Theorem 2. (Unforgeability of the Scheme) An attacker I can forge a 
valid signature to message m in our scheme if and only if he can forge a valid 
signature to the same message in Shoup’s scheme. 

Proof. If attacker I can forge a valid signature S to message m in our scheme 
such that S® = m'^ mod N. Then, by using the public parameters a and b of 
Shoup’s scheme, attacker I can compute a value S = S°'m^ mod N . Following 
reasonings show that S is the valid signature to message m in Shoup’s scheme: 

(,§)« = (5“m*')® mod N = (S'®)“m^® mod N 
— jj^4a-\-eb jy = m mod N. 

So attacker I has successfully forged the signature on message m in Shoup’s 
scheme. 

On the other hand, if attacker / can forge a valid signature S to message 
m in Shoup’s scheme such that = m mod N . Then, let S' = 5^ mod N . We 
have 

S® = (S^)® mod N = (S®)^ mod N = m'^ mod N. 

Above equalities show that attacker I has successfully forged the signature S on 
message m in our scheme. □ 

Furthermore, as Shoup did in [20], the following theorem holds. 

Theorem 3. (Security of the Scheme) In the random oracle model for 
hash function H, our threshold signature scheme is secure (robust and non- 
forgeable) assuming the standard RSA scheme is secure. 
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In addition, comparing with Shoup’s scheme, our threshold signature scheme 
possesses several advantages as follows. 

— Simple Signing Equation. The signing equation in our scheme is S' = 

mod IV, which is simpler than Shoup’s signing equation S = S°"m^ mod 
N . In general, a and b are large integers, and one of them must be negative. 
Therefore, computing a signature in Shop’s scheme is lower than in our 
scheme. 

— Protecting the Modulus. Because one of the two parameters a and b is 
negative integer in Shoup’s scheme, one inverse, S~^ mod N or m~^ mod N, 
has to be computed before generating every threshold signature. Once the 
inverse element cannot be found (of course, this case occurs in a negligent 
possibility because factoring RSA modulus is difficult.), a factor of N has 
been found and this RSA cryptosystem is crashed then. Therefore, Shoup’s 
signing equation does a negative effect in protecting the RSA modulus N. 
But, our scheme is immune to this problem. 

— Scalability. Our scheme can be generalized to a threshold undeniable 
signature scheme (see section 5 of this paper), but Shoup’s scheme seems 
intractable to generalize to this case. 

— Public Exponent . In fact, the public exponent e in our scheme can be 
selected as any element of not necessarily a prime. 

In addition, in order to verify the honesty of the dealer D, verifiable secret 
sharing [17] or publicly verifiable secret sharing schemes [21, 18] can be intro- 
duced. But the discussion about these problems is out the scope of this paper. 

6 Threshold Undeniable RSA Signature Scheme 

In this section, we propose a threshold undeniable RSA signature scheme with 
fine properties. As we know, this is the first threshold undeniable signature 
scheme based on RSA cryptosystem so far. In our scheme, by using Shamir’s 
secret scheme [19], the dealer D distributes the RSA signing and verifying key 
pair (e,d) to all n members of group U, such that each subgroup of t honest 
members can generate undeniable RSA signature. At the same time, any t coop- 
erative members can represent group U to confirming or disavowing an alleged 
signature. In addition, the honesty of each participating member is verifiable in 
all the three procedures of signature’s generation, confirming and denying. 

In the essence, this scheme is constructed by combining the Gennaro etc.’s 
undeniable RSA signature scheme in section 4 and the improved threshold RSA 
signature scheme in section 5. But to many details, skillful processing are con- 
ceived to construct a secure and practical scheme. Now, we describe the scheme 
in detail. 

Stage 1: System Initialization 

After selecting a RSA modulus N as the form defined in section 2, the dealer 
D chooses the signing and verifying key pair as (e,d), such that ed = 1 mod M 
and e is a prime. Supposing n, the number of members in group U, satisfies 
n < minjp', g'}. In addition, let e = e4“^ mod M . 
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Stage 2: Distribution of Secrets 

(2-1) The dealer D chooses two random polynomials f{x),g{x) £ Zm[x], such 
that /(O) = d and g{0) = e. Then, D computes the sub-keys as follows. 

di = f{i){n\)~^ mod M, Ci = g{i) ■ (n!)“^ mod M, i = 1, 2, • • • , n. 

Hence, to any subset B of size t in {1, 2, 3, • • • , n}, sub- keys di, Ci satisfy 
the following properties {Xsi displayed in (2)): 

d = ^ di ■ Xsi mod M, e = ^ Cj • Xsi mod M. (10) 

ieB ieB 

(2-2) The dealer D selects a random generator w oi Qn and computes: 

Sw = mod N, Tyj = mod iV. , , 

Swi = mod N, Tyji = mod N, t = 1, 2, • • • , n. 

(2-3) The dealer D randomly chooses a fixed element u in such that it’s 
Jacobi value respect to N is —1, i.e. 

J{u\N) = -1, u £r Z%. (12) 

(2-4) The dealer D publishes N, n, u, w, S^, and Swi, Twi{i = 1, 2, • • • , n), but 
sends di and Ci to Ui secretly. 

(2-5) Ui verifies the following equations: 

mod N, Tyji = mod N. 

Sw = n,eB mod N, = UjeB mod N. ^ 

Where, B can be any subset with t elements of {1,2, If finding 

any of the above equations does not hold, Ui proclaims this fact, then the 
dealer D is considered to be failed in distributing the secrets. Otherwise, 
the dealer is successful. 

Stage 3: Generation and Verification of Partial Signature 

(3-1) If the member Ui wants to sign the original message mg, he first computes 
message digest m of toq by using equation (3) such that we always have 
J{m\N) = 1. 

(3-2) Ui computes the partial signature of m as following: 

Smi = mod N. (14) 

Then, Ui runs the , S^i, tti? , Smi, di) protocol (where, and rnS 

all are computed in mod N) and constructs the proof Proofjji to indicate 
that log „2 Sn,i = log ,„2 Smi {= di). 

(3-3) Using Proofui, any member can verify whether the partial signature Smi 
is signed by Ui. 
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Stage 4: Generation of Threshold Undeniable Signature 

If there are t members Ui{i G B and \B\ = t) who have generated valid partial 
signatures, then the threshold undeniable signature Sm on message m can be 
computed by the following equation: 

S'™ = n mod N (= mod N). (15) 

ieB 

Stage 5: Confirmation Protocol 

After getting the consent of t members Ui{i € B and \B\ = t), V can run the 
following confirming protocol with these t members to check whether an alleged 
signature (m, S™) is signed by group U. 

(5-1) V selects two random numbers Ci,C 2 Gr [l,fV], computes the following 
challenger C and sends or broadcasts it to every member Ui{i G B): 

C=S^S^^modN. (16) 

(5-2) After Ui received C, he computes his partial response Ri as: 

Ri = C‘^^* mod N. (17) 

Using the protocol DLE(w^, C^, e^), Ui produces the proof 

Proofui broadcasts {Ri.Proofui)- Obtained this information, each 
member can verify the validity of Ri . If all these t members have produced 
their correct partial responses Ri, then the response R can be determined 
by the following equation, and be sent to V: 

i?= mod iV(=C‘‘® mod A). (18) 

ieB 

(5-3) V verifies whether the following equality holds after he received R: 

R = mod N. (19) 

If yes, then V accepts the signature i-e. he believes that S'™ is 

U’s valid signature on message m. Otherwise, the denial protocol has to 
be run to determine whether (m, S™) is not a signature of U. 

Stage 6: Denial Protocol 

When t members Ui{i G B and \B\ = t) agree to deny an alleged signature 
V and Ui{i G B) run the following denial protocol. 

(6-1) V selects two random numbers ci Gr [1, /], C 2 Gr [1, N], then he computes 
(Cl, C 2 ) as follows and sends or broadcasts them to every Ui {i G B). 



Cl = mod N, C 2 = mod N. 



(20) 
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(6-2) All Ui{i G B) use their sub-keys to compute: 

mod N, mod N. (21) 

ieB ieB 

Then they search all possible values in [1 , 1] to find a number r such that 
the following equation holds, and send this r to the verifier V : 

= Cf/C 2 ^'' modN. (22) 

(6-3) V verifies whether r = ci. If yes, then V rejects the signature Sm, i-e. V 
believes that Sm is not group C/’s signature on message m. Otherwise, V 
considers that these members Ui {i G B) is trying to deny C/’s threshold 
signature Sm deliberately. 



7 Analysis of the Proposed Scheme 

Now, we give a brief discussion about the validity and security of the above 
threshold undeniable RSA signature scheme. First, it is not difficult to verify 
the completeness of our scheme according to the descriptions, i.e. if all t mem- 
bers are honest and have produced valid partial signatures, then the determined 
threshold undeniable signature will pass through the confirmation protocol. Sec- 
ond, Shamir’s secret sharing scheme [19] is used to distributing secrets in our 
scheme, so it can be concluded that an attacker I cannot generate a valid thresh- 
old undeniable signature if the number of members controlled by / is less than 
t. Third, in all the three procedures of generation, confirmation and denial of 
undeniable signature, all the corrupted members will be identified, because each 
participating member has to run the DLE protocol for constructing necessary 
proof to indicate that they have operated properly in these three procedures. 
Last, from the security of Gennaro etc.’s scheme [12], one can conclude that 
each sub-key will not be compromised when each member uses it to confirm 
or deny undeniable signature. Hence, we have successfully proposed a secure, 
robust and efficient threshold undeniable signature scheme with a dealer. 



8 Future Work 

In the future research, we will consider to generalize our threshold undeniable 
RSA signature scheme to the distributing environment where there is no the 
help of a dealer or a trusted party. Some of relevant works have been done by 
Frankel, MacKenzie and Yung [11], Damgard and Koprowski [9]. 
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Abstract. In this article, we propose two types of multiple digital sig- 
natures for batch verification, our schemes not only efficient to reduce 
computation of verifying these signatures, but also secure to detect forged 
multiple digital signatures. 



1 Introduction 

In 1994, Naccache et al. [8] proposed an efficient batch verifying multiple DSA 
digital signatures. The merit of their scheme is that a signer signed t documents 
using his/her private key separately and sent the multiple digital signatures to 
a verifier. The verifier can verify these multiple digital signatures by the signer’s 
public key which need only one verification instead of t verifications. However, 
this scheme is insecure which is attacked by Lim and Lee [7]. An attacker can 
easily forge multiple digital signatures to make a false batch verification valid. 

Recently, Harn proposed two efficient non-interactive batch verification pro- 
tocols for DSA-type and RSA-type multiple digital signatures, respectively [2, 
3]. For convenience, BV-DSA scheme is short for the DSA-type; and BV-RSA 
scheme is short for the RSA-type multiple digital signatures in this article. Both 
BV-DSA and BV-RSA schemes can against Lim and Lee’s attack [7]. However, 
there are some weaknesses in BV-RSA scheme [5]. 

In this article, we show that there is a weakness in BV-DSA scheme. To 
overcome the weaknesses in BV-DSA and BV-RSA schemes, we propose two 
simple and secure improvements of these schemes in this article. 

2 The Weaknesses of BV-DSA and BV-RSA Schemes 

In the next two subsections, we briefly review the BV-DSA [2] and BV-RSA [3] 
schemes and some weaknesses in these schemes. 
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2.1 The Weakness of BV-DSA Scheme 

We briefly review DSA digital signature [4,6] as follows. Let p be a large prime; 
<7 be a factor of (p — 1); g be a generator with order q in GF(p); x and y be a 
signer’s private key and public key, respectively. Here, y = mod p. When a 
sender wants to send a signed message M to a receiver, he/she must to generate 
a digital signature (r, s) as follows: r = {g^ mod p) mod q, s = rk — Mx mod q, 
and fc is a random number which is generated by the sender. Once receiving 
{M, r, s) from the sender, the receiver can verify the correctness of the signature 
on the message M by checking the equation r = mod p) mod q. 

Next, we review Ham’s BV-DSA digital signature as follows. 

Generating Multiple Digital Signatures: 

Assume that a sender, Alice, wants to send t messages 
and digital signatures (ji, Si), S 2 ), ■ ■ ■ , {rt, St) to a receiver, Bob, where 
Ti = {g^' mod p) mod q; Si = Tiki — Mix mod y, i = 1, 2, • • • , t; is a random 
number; and x is Alice’s secret key. 



Batch Verifying Multiple Digital Signatures: 

After receiving these digital signatures from Alice, Bob verifies the correctness 
of these multiple digital signatures on messages Mi, M 2 , - ■ ■ , Mt using Alice’s 
public key y in the following equation: 






(g 






V‘ Mi'. 

^ yZ-^i=l 



mod p) mod q. 



( 1 ) 



BV-DSA scheme is simple and efficient to verify multiple digital signatures. 
However, there is a weakness in this scheme. A dishonest signer, Alice, can forge 
individual signature and make a false batch verification valid. Assume that Alice 
sends t messages Mi and forged signatures {ri,s'i), i = 1, 2, • • • , t, to Bob, where 
s' = Si -I- aiVi mod y, t = 1, 2, • • • , t; Oi is an integer such that E\=i = 0- 

By verifying Equation (1), Bob is convinced that these messages are signed 
by Alice. However, when a dispute occurs, Alice can deny her digital signatures 
because Xi yf (y®*’’* y^*L mod p) mod y, i= 1, 2, • • • , t. 



2.2 The Weakness of BV-RSA Scheme 

We briefly review the RSA digital signature [1,9] as follows. Let n = p x y, 
where p and y are two large primes; e and d are a signer’s public key and private 
key, respectively, such that e x d mod (p— l)(y — 1) = 1. When a signer, Alice, 
wants to send a signed message M to a receiver, Bob, she must to generate a 
digital signature S as follows: S = h{MY mod n, where h{-) is a public one-way 
hash function. Once receiving (M, S) from Alice, Bob can verify the correctness 
of the signature on the message M by checking the equation h{M) = S'® mod n. 
Next, we review BV-RSA digital signature as follows. 
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Generating Multiple Digital Signatures: 

Assume that a signer, Alice, wants to send messages ■ ■ ,Mt and sig- 

natures Si, S 2 , ■■■, St to a, receiver. Bob. The multiple signatures Si, S 2 , ■ ■ ■ ,St 
are signed using the Alice’s private key d in the following: Si = h{MiY mod n, 
1=1, 2, 

Batch Verifying Multiple Digital Signatures 

After receiving these multiple signatures from Alice, Bob verifies the correctness 
of these multiple digital signatures on messages Mi,M 2 , - ■ ■ ,Mt using Alice’s 
public key e by checking the following equation: 

i t 

(iis)‘=n h{Mi) mod n. (2) 

i=l 

BV-RSA scheme is simple and efficient to verify multiple RSA digital signa- 
tures. However, Hwang et al. shown that there is a weakness in this scheme [5]. 
A dishonest signer, Alice, can forge individual digital signature and make a false 
batch verification valid. Hwang et al. [5] also proposed two methods to attack 
the BV-RSA scheme. 

In the first method, a dishonest (Alice) sends messages and the forged digital 
signatures {Mi, S'), i = 1, 2, • • • , t, to a verifier (Bob), where S'' = h{Mff^i))'^ mod 
n, i = l,2,---,t; /(•) is a one to one and onto function such that f{i) = j, 
i = 1,2, - ■ ■ ,t and j = 1,2, - ■ ■ ,t. 

In the second method, a dishonest sends messages and the forged digital 
signatures {Mi, S')), i = l,2,---,t, to a verifier, where S'^ = at x Si mod g, 
i = 1,2, - ■ ■ ,t and OLi 

By verifying the Equation (2) in the above two methods, Bob is convinced 
that these messages are signed by Alice. However, when a dispute occurs, Alice 
can deny her signed messages because of h{Mi) yf (S')® mod n. 

3 Our Improved Schemes 

We have introduced the weaknesses of BV-DSA and BV-RSA schemes in Sec- 
tion 2. A dishonest signer can forge individual digital signatures and make a 
false batch verification valid. 

To remedy these weaknesses of BV-DSA and BV-RSA, we propose two 
simple and secure improvements of BV-DSA and BV-RSA multiple digital 
signatures in this section. The key point of our improved schemes is that we 
make multiple digital signatures in order. The dishonest signer cannot transpose 
these digital signatures such that a verifier passes the validation of the batch 
verifying multiple digital signatures. 

The Improvement of BV-DSA Scheme: 

The difference of BV-DSA and our improved scheme is only in Equation (1). In 
our improved scheme, Equation (1) is modified as follows. 
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Mi' 



mod p) mod q, 



(3) 



where Vi, i = 1, 2, • • • , t, are small random numbers which are randomly chosen 
by a verifier. 



The Improvement of BV-RSA Scheme: 

The difference of BV-RSA and our improved scheme is in Equation (2). In our 
improved scheme, Equation (2) is modified as follows. 

t t 

il[s:r = l[f^{M.rmodn. (4) 

i=l i=l 

Next, we analyze the security of our improved schemes as follows. Based on 
Ham’s BV-DSA and BV-RSA schemes, the security of our improved schemes is 
the same as that of their schemes except that our improved schemes have no 
those weaknesses of their schemes. 

In our improved BV-DSA scheme, a dishonest signer cannot use the same 
methods in Section 2 to cheat a verifier of passing the batch verifying multiple 
digital signatures. After receiving some multiple signatures, a verifier randomly 
chooses some integers and verifies the validation of theses multiple signatures 
by Equation (3). Once one or more signatures are modified, the verifier fails 
the validation of the batch verifying signatures. If a dishonest signer wants to 
make some false multiple digital signatures (ri,s') valid, he/she must to make 
the following equation holds. 

t t 

Str~^Vi = ^ s[r~^Vi{Taodq). (5) 

i=l i=l 

Since the signer did not know the values Vi, he/she is difficult to make the 
Equation (5) holds. 

In our improved BV-RSA scheme, the security analysis is similar to that of 
our improved BV-DSA scheme. If a dishonest signer wants to make some false 
multiple digital signatures (S'-) valid, he/she must to make the following equation 
holds. 

t[sr = f[s'r- ( 6 ) 

i=l i=l 

Again, the signer is difficult to make the above equation holds because he/she 
did not know these random integers Vi. 



4 Conclusion 

We have shown that there are some weaknesses in BV-DSA and BV-RSA 
schemes. We also proposed two improvements of BV-DSA and BV-RSA schemes. 
Our schemes not only simple but also secure to remedy these weaknesses of BV- 
DSA and BV-RSA schemes. 
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Abstract. Camellia block cipher, which is 128-bit block size and sup- 
ports 128-, 192- and 256-bit keys, is one of the NESSIE (New Euro- 
pean Schemes for Signatures, Integrity and Encryption) candidates. The 
Square attack on Camellia is studied in this paper. With the detail anal- 
ysis of round function in Camellia, Square attack extension to 6 rounds 
faster than exhaustive key search was found. The result of the paper 
shows that Square attack is the best attack on Camellia. 



1 Introduction 

With the development of the computer network, block cipher, as the key tech- 
nique of security in the network, become more and more important. As AES 
(advanced encryption standard) draw to its end in USA, Europe starts NESSIE 
(new European Schemes for Signatures, Integrity and Encryption) project. The 
main objective of the project is to maintain the strong position of European 
research while strengthening the position of European industry in cryptography. 
Same as AES, the NESSIE projective is an open process. There are 17 new block 
cipher algorithm as the accepted NESSIE submissions and Camellia block cipher 
[I] is one of them. 

Square attack is a dedicated attack on Square cipher that exploits the byte- 
oriented structure of the cipher and was proposed by the algorithm designer J. 
Daemen, L. Knudsen and V.Rijmen [2]. The attack is a chosen plaintext attack 
and independent of the specific choices of S-box and key schedule. Chosen A-Set 
which is a special set of plaintexts. Square attack eliminated some wrong keys 
based on the balance of ciphertext, and repeated this process with other A-Sets 
until the cipher key can be found. Square attack is also valid for Rijndael [3] 
and Anubis [6] that are similar in structures to Square. So far the attack is the 
best attack of AES and become one of the most important method to attack 
block cipher. H. Gibert and M. Minier [5] extend the attack to 7-round for 196 
keybits and 256 keybits version of Rijndael by exploiting the existence of collision 

* This project is supported by the National Key Basic Research Program of China 
under Grant No. G1999035810 and the National Natural Science Foundation of 
China under Grant No. 60083007. 
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between partial function. With dynamic programming technique N. Ferguson, J. 
Kelsey and S. Lucks [4] reduced the complexity of Square attack by partial sum. 

In this paper, Square attack on Camellia, a Feistel structure cipher, is dis- 
cussed. with detail analysis of round function, an attack on reduced 6-round of 
Camellia that requires 13 x 2® chosen plaintext and complexity is 2^^^ cipher 
executions was found. The result shows that Square attack is valid not only for 
structure similar to Square but for Feistel structure also. This paper is organized 
as follows. In section 2 the outline of Camellia is provided. Basic analysis for 4 
rounds of Camellia is discussed in section 3. Section 4 describes 5-round attack 
and extends to 6-round with the detail analysis of round function. In section 5 
the complexity of the attack is analyzed and finally concludes the paper. 

2 An Outline of Camellia 

In this section we briefly described the Camellia algorithm. Camellia is a block 
cipher supporting 128 bits block size and 128-, 192- and 256 bits keys. The algo- 
rithm is composed of encryption and decryption procedure and key schedule. In 
the following we introduce round structure only for Square attack is independent 
of the key schedule. 

Camellia uses an iterative round function in a Feistel structure with ad- 
ditional input /output whitening and FL-function and FL“^ -function inserted 
every 6 rounds. The round function F[K], that is dependent of round key 
AT* G GF(2®)® and map a 64 bit block to 64 bit block, is a SPN (Substitution- 
Permutation Network) structure. 

F[K] : GK(2®)® ^ GK(2®)®. 

The round function is composed of three function, a[K] and P-function as 
the linear layer and S-function as the non-linear layer, i.e. 

F[K] = P o S o a[K], (1) 

Where 

— S-function uses 4 different S-box 81,82, 83 and 84. 

8 : GF(2®)® ^ GF(2®)®. 



8(^X1, X2, X3, X4, X3, Xq, X'Y, 

= (S'i(a:i),S'2(a;2),S'3(a;3),S'4(a;4),-5'2(a:5),5'3(a;6),S'4(a;7),S'i(a:8))- ^ 

— P-function is a linear mapping 



where 



P : GF’(2®)® ^ GF’(2®)®; 

P{Z) = Z' . 
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Z'^ — Z\® Z^ © Z/^ © Z^ © Z'l © Z^ 

= Zi © Z2 © Z4 © Z5 © Z7 © Zg 

Z^ = Zi © Z2 © Z3 © Z5 © Zg © Zg 

Z^ = Z2 © Z3 © Z4 © Z5 © Zg © Z7 

Zg = Zi © Z2 © Zg © Z7 © Zg 

Zg = Z2 © Z3 © Zg © Z7 © Zg 

z^. = Z3 © Z4 © Zg © Zg © Zg 

Z^ = Zi © Z4 © Zg © Zg © Z7 

— a[K] IS a, exclusive-or operation with key 

<^[K]{y) = y'^y'i = yi®ki, i = 1,2, • • • ,8. 



3 The Basic Result 

In this section we shall analyze the balance of the cipher through 4 round con- 
sidering a special yl-Set as a chosen plaintext set. This result is a base to attack 
on Camellia by Square. 



3.1 Concept and Notations 

First we shall introduce the d-Set. A A-Set is a 8 bytes vector set of 256 states 
that are all different in some of the state bytes (active bytes) and all equal in 
the other states bytes (passive bytes). It’s strictly definition is as follows. 

Definition 1. Let A be a 8 bytes vector set and A be the index set of the state 
bytes. If 



Vx, y G 



yi 

Xi = yi 



for i G X 
for i ^ X 



was satisfied, the A is said to be a A-Set and A the active bytes index set. 



From the definition of A-Set and the three basic function described in the pre- 
vious section, it is easy to see that nonlinear transformation S and key exclusive- 
or function u[K] convert a A-Set into a A-Set with identical A and applying the 
linear transformation P on a A-Set dose not necessarily result in a A-Set. 

Now we give some notations that will be used in the sequel. We write for 
the right half of the 128 bit plaintext and for the left half. We will use A* to 
refer to left input of the i-round. A® the state at the beginning of the P-function 
in the i-round and S® the state at the output of the P-function in the i-round 
and denote by 



F[A®] = PoSoa[K^]. 



the round function of the i-round. 
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3.2 The Basic Result 

Consider a T-Set as the right half of the 128 bit plaintexts in which only one 
byte is active and the left half of the 128 bit plaintexts being constant. As 
shown in Figure 1. is still a yl-Set with only one active byte for X^ is constant. 
The function S and a[K] of the second round transmit the A-Set into a A-Set to 
keep A unchanged. P of the second round convert the A-Set into another A-Set 
with more active bytes which will take every value exactly once. This is still the 
case by S and <j[K] of the third round. The A-Set is subsequently transformed by 
P to not necessary a A-Set. Since the bytes of A^ are either constant or ranging 
over all possible values exactly once, the exclusive -or of each component over 
the A-Set result in 0. Note that each byte of is linear combination of A^, for 
t = 1, 2, • • • , 8, we have 



0 - 0 0 - 0 ( 0 ) - 0 R* • 0 - 0- 

B^=P(A^), A^&A 1 = 1 1=1 A^eA 1=1 

where tu = 1 or 0. Bf is said to be balanced. 

Theorem 1. If is a A-Set with only one active byte and X^ a constant, 
each byte of X"^ is balanced. 

Proof. According to previous analysis, we know that each byte of B^ and Af^is 
balanced. Note that Camellia is Feistel structure and Xf = 0 Xf, so the 

result is followed easily. □ 

In general this balance is destroyed by S-function of 4-round. 



4 Attack on Camellia 

In this section we study Square attack on reduced Camellia by balanced result 
getting from previous section. 



4.1 Attack on 5 Rounds 

As shown in Figure 1, the 5 rounds of Camellia cipher can be regard as the 
extension of 4 rounds by adding a round at the end. By means of the basic 
result in the last section, we shall give an attack on 5 rounds. 

First we establish the relationship of A^, the 4th round input, and A®, the 
5th round output, that is the key for our attack. Note that 



X* = X^®B^. 



If we know the round key K^, we can calculate the output of a[K^]and 
B^because the output of the 5th round is known. In general we have 
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X‘ X= 



Fig. 1. Attack on 5-round of Camellia 



AT* = X*+2©PoS'(i^*+i©X*+i), f=l,2,3,4. (4) 

This is illustrated in Figure 1. 

Consider a A-Set as X'^ , in which only one byte is active and the is 
constant and record the corresponding ciphertext {X^, X^). For any assuming 
round key AT®, calculate X"^ by equation (4). Do this for all 256 ciphertext in 
the set and check whether the exor of the 256 X"^ equals zero. If it doesn’t, the 
guessed round key is wrong by theorem 3.1 and is eliminated. A few wrong keys 
may pass the test, repeating it for several times until the round key can be found. 
Since by checking a single A-Set leaves 1/256 as candidates and 2®^ key values 
must be checked in our attack, the correct key is left only with overwhelming 
probability with 8 A-Sets. 

4.2 Extension of 6-Ronnd 

In the following a further extension of an attack on 6 rounds, which is faster 
than exhaustive key search, is studied by improving our 5-round attack. 

We shall start our research by a detail analysis of round function. We know 
that one output byte of o[K] function or S function depends on only one input 
byte and one output byte of P function depends on only partial input bytes. 
From the equation (1), it is easy to know that one output byte of round function 
depends on only partial input bytes also. For example, if 1, 2, 6, 7, 8 bytes of A® 
are known, from equation (3) we can deduce 5th byte of . And hence we have 
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Fig. 2. Extension of 6-round 



X^(5) = X®(5) © B®(5) = X®(5) © P(l, 2, 6, 7, 8). (5) 

From this result, an attack on 5 rounds can be improved. As a matter of fact, 
by assuming only 1, 2, 6, 7, 8 bytes of K^, we can calculate the corresponding 
output bytes of function (j[K^] and the function S. And then we get the 5th 
byte of from equation (3). By theorem 3.1 and equation (5), if the value of 
AT^(5) are not balanced over the yl-Set, the assumed value for the round key 
bytes K^{1, 2, 6, 7, 8) were wrong. 

Based on the improved 5-round attack, now we extend the attack to 6 rounds. 
Similar to an 5-round attack, take a A-Set as , in which only one byte is 
active and the is constant and record 256 corresponding ciphertext (AT®, 
AT^). By guessing a value for AT®, we calculate X® from equation (4). And then 
assuming the values for 1, 2, 6, 7, 8 bytes of AT®, X^(5) can be deduced from 
equation (5). Check whether the exor of all 256 X‘^(5) results zero. If it doesn’t, 
the assumed AT® and 1, 2, 6, 7, 8 bytes of AT® are wrong. Since by checking a 
single A-Set leaves 1/256 as candidates and 2^®"^ key values must be checked in 
our attack, the correct key is left only with overwhelming probability with 13 
A-Set. 
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5 Complexity of the Attack 

The complexity of the attack is discussed in this section. For a 5-round attack, 
2®^ possible round key values must be checked to recover . Since by checking a 
single H-Set of plaintexts leaves about 1/256 of wrong key as possible candidates, 
the whole process must be repeated for 8 times of H-Sets plaintext. However, 
after testing with the first H-Set of 256 plaintexts, only 2®® candidate key values 
are remained. And only this fraction has to be tested with the second yl-Set 
of the plaintexts. Therefore, the first check determines the complexity of the 
attack. For each given round key value, the calculations of from equation 
(4) are not more complex than encryptions and hence the attack complexity is 
2®4 X 2® = 2^^ cipher executions. 

For an improved 5-round attack, only 2"^® possible round key values must be 
filtered to recover 5 bytes of AT®. The whole process must be repeated for 5 times 
of A-Sets plaintext. The attack complexity is 2"^® x 2® = 2"^® cipher executions. 

In 6-round attack, 2^®"* key values must be test to get AT® and 5 bytes of AT®, 
the right key values can be found with overwhelming probability with 13 A-Set. 
The attack complexity, which is also determined by the first test, is 2^®"* x 2® = 
2^^^ cipher executions. This attack is faster than exhaustive key search. The 
complexity of Square attack on reduced Camellia cipher are summarized in the 
table 1. 



Table 1. Complexity of the attack 



Square attack 


Plaintexts 


Cipher executions 


On 5 rounds 


2“ 


272 


Improved on 5 rounds 


5x2® 


24 ® 


On 6 rounds 


13 x 2® 


2112 



6 Conclusion 

Square attack on Camellia, a Feistel structure cipher, is discussed in this paper. 
By the detail analysis of round function an attack on reduced 6-round of Camellia 
that requires 13 x 2® chosen plaintext and complexity is 2^^^ cipher executions 
was found. This attack is faster than exhaustive key search. The result shows 
that Square attack works against not only structure similar to that of Square 
cipher but Feistel structure also. 
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Abstract. ECDSA can be viewed as the elliptic cnrve analogue of DSA. 

Many variants of (ElGamal) DSA and some general types were proposed 
in [4]. In this paper, several general types of ECDSA and some new 
variants of the basic ECDSA are described. From these general types, 
we can extract the desired, high efficient elliptic cnrve digital signature 
schemes. Moreover, their related securities are briefly analyzed. 

1 Introduction 

The elliptic curve cryptosystems (ECC) was invented by V. Miller [1] in 1985. 
ECC can be viewed as the analogue of discrete logarithm cryptosystems . The se- 
curity of ECC is based on the elliptic curve discrete logarithm problem (ECDLP). 
The elliptic curve digital signature algorithm (ECDSA) is the elliptic curve ana- 
logue of the digital signature algorithm (DSA) . An original ECDSA was proposed 
in 1992 by Vanstone [3], and its three variants were given in [6,7]. These signa- 
ture schemes are basically the analogues of the corresponding ElGamal digital 
signature schemes. The generalizations of the ElGamal DSA were investigated 
in [4] . In this paper, we propose several generalizations of ECDSA schemes and 
also describe some new variants of the basic ECDSA. 

2 Elliptic Curve Digital Signature Algorithms 

Let Fq be a finite field with q a prime power , then an elliptic curve E over 
Fg is defined as the set of all solutions (x,y) to some Weierstrass equation [2] 
together with the infinity point O. Let E(Fg) denote the all F^-rational point set 
in E, including O, then E{¥q) forms an abelian group according to the addition 
definition [2]. 

DSA can be regarded as a variant of the ElGamal signature scheme and their 
security is based on the intractability of the discrete logarithm problems (DLP). 
The basic ECDSA is the analogue of the (ElGamal) DSA over the elliptic curve. 
It can be described as follows [5]: 

The public parameters for ECDSA include an elliptic curve E over F^, a base 
point G of large prime order n in E{¥q) and a one-way hash function h. 

* This Project is supported by National 973 High Technology Projects(No. 
G1999035805) and the NSF of Ghina (No. 60073049, 69882002, 69425001) 
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Basic ECDSA Scheme: To sign a message m, the entity A does the following 
Step 1-4 : 

1. Select l}at random as his private key and computer P = dG 

over E as his public key . 

2. Select k € {1, ■ ■ ■ , n — 1} at random and compute r = {kG)^ mod n, where 
{kG)x denotes the x-coordinate of the point kG G E(¥q) and is regarded as 
an integer. If r = 0, then go back to step 1. 

3. Compute s = k~^{h{m) + dr) mod n. If s = 0, then go back to step 1. 

4. A’s signature for the message m is (r, s) . 

5. To verify A’s signature , the entity B first gets the public parameters and A’s 
public key P, and then checks whether ((s~^h{m))G+{s~^r)P)x mod n = r. 
If it holds, then accept the signature. Otherwise, reject it. 

In [6], two shortened schemes of the basic ECDSA, ECDSS1(ECDSS2), are 
described as: First compute ri(r2) = h{kG,m) and Si = k/{r + d) (s2 = k/(l + 
rd)), and then get the signature (ri,si) ((r2,S2)) on to. Finally verify it by 
checking whether ri = h{s{P + rG),m) {t 2 = h{s{G + rP),m)). 

In [7], another variant, referred to NR-ECDSA, was presented as: First com- 
pute r = {kG)x + h{m) and s = k — dr, and then get the signature (r, s) on to. 
Finally verify it by checking whether h(m) = r — (sG + rP)x- 

3 Generalizations of ECDSA Schemes 

Type 1: Let be a permutatiom of (l,d,k). Suppose r = {kG)x (r yf 0 

otherwise select k again). Consider the following equation on the variable s: 

sa = h{m) (3 + rj mod n (1) 

Solve (1), then we obtain a signature (r, s) = {r,a~^{h{m)f3 + rj)) on to if 
s yf 0, otherwise select k again. To verify the signature, check whether 

r {s-^{h{m){(3G)+r{^G)))x = r if (PG,^G) = (G,P) or (P,G) 

{ {h-\m){s{aG) + r{jG)))x = r if (aG, yG) = (G, P) or (P, G) . 

[ (r-i(s(<^G) + h{m){fG)))x = r if (aG,/3G) = (G,P) or (P,G) 

No. 1-6 schemes listed in Table 1 are the all possible variants of the basic ECDSA 
related to the general equation (1). 

Type 2: Let (a,/?, 7) be a permutatiom of (l,d,k) and r = {kG)x + h{m). 
Consider the following equation on variable s: 

sa = j3 + r^ mod n (2) 

Solve (2), then we obtain a signature (r, s) = (r, + ry)) on to if s yf 0, 

otherwise select k again. Verify it by checking whether 

r ((/3G) + r(yG)), if (/3G, yG) = (G, P) or (P, G) 

r - h{m) = s(aG) -k r{jG))x if (aG, yG) = (G, P) or (P, G) 

[r-i(s(aG) -k/3G)^ if (aG,/3G) = (G,P) or (P,G) 

Then we obtain another six signature schemes No. 7-12 as Table 1 lists. 
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Table 1. ECC Signature Schemes; Variants of the Basic ECDSA 



No. 


(o,/3,7) 


r 


Signature equation 


Verification equation 


1 


(1,4 k) 




s = dh{m) + kr 


(r“^(sG — h{m)P))x = r 


2 


{l,k,d) 




s = kh{m) -\- dr 


(h(m)~^{sG — rP))x = r 


3 


(d, l,fc) 


r = (kG)^ 


s = d~^{h{m) + kr) 


(r“^(sP — h{m)G))x = r 


4 


(d,fc, 1) 




s = d~^ {kh(m) -\- r) 


{h{m)~^{sP — rG))x = r 


5 


(fc, l,d) 




s = k~^{h{m) + dr) 


{s~^{h{m)G + rP))x = r 


6 


(fc,d, 1) 




s = k~^ {dh{m) + r) 


{a~^{h{m)P + rG))x = r 


7 


(l,d, k) 




s = d + kr 


(r“^(sG — P))x -1- fcfml = r 


8 


(l,fc,d) 




s = k + dr 


(sG — rP)x -f h{m) = r 


9 


(d, l,fc) 


r = {kG)x + h{m) 


s = d“^(l -I- kr) 


(r~^(sP - G))x + h(rti) = r 


10 


(d,fc, 1) 




s = d~^{k + r) 


{sP — rG)x -I- h{m) = r 


11 


(fc, l,d) 




s = fc“^ (1 -I- dr) 


{s~^{G + rP))x -1- h{m) = r 


12 


(fc,d, 1) 




s = k~^{d + r) 


(s~^(P + rG))x - h{m) = r 



4 A More General Type of ECDSA 

Suppose F{x,y,z), U{x,y,z), V{x,y,z) and W{x,y,z) are given 3-variable ra- 
tional functions: — >■ F*. Construct the following equation set: 

J F{r,m, kG) = 0 mod n 

\ kU (r, s, m) -I- dV (r, s,m) + W (r, s,m) = 0 mod n ' ^ 

To generate a signature on m, first choose F, U, V and W deliberatively, and 
then solve r and s from the equation (3). If it has a solution (r, s) with r 0 
and s 0, then we obtain a signature (r, s) on m. Its verification equation is 
F{r,m, {—U~^{r,s,m)V{r,s,m))P+ {—U~^{r,s,m)W{r,s,m))G) = 0. 

When using (3) to generate a signature, we should notice the followings: 

— First F should be chosen so that r can be easily solved and expressed as a 
rational function of m and kG, or at least a rational function of kG. 

— To guarantee both the validity and security of the generated signature (r, s) 
on TO, each of r, s and m{or h{m)) has to appear in (3) at least once. 

— If r = 0 or s = 0, then select k or the four functions F, U, V and W again. 

— If (3) has more than one solution, then add some redundant bits to specify 
one determinate signature. 

— To lessen the computational cost, F, U, V and W are often chosen to be 
rational functions with the degree ±1 or 0 for every variable. 

Considering the above conditions, the practical signature schemes generated from 
(3) can be classified into the following four general types. Suppose /, g and 4> 
are 2-variable polynomial functions (F^ — >■ F*)with the degree 1 or 0 for each 
variable . 

Type 3: Let {F,U,V,W) = {r — f{kG,m), s, g{r,m),(j){r,m)). Then from (3) we 
obtain the signature (r, s) = {f{kG,m),k~^{—dg{r,m) — (j){r,m))). Its verifi- 
cation equation is f{{—s~^g{r,m))P + {—s~^(j){r,m))G,m) = r. The signature 
schemes No. 5, 6, II, 12, can be deduced from this general type. 
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Type 4: Let {F, U, V, W) = {r—f{kG, m),g{r, m),s, m)). Then we obtain the 

signature (r, s) = {f{kG,m),d~"^{—kg{r,rn) — 4>{r,m))). Its verification equation 
is f{{—sg~^{r, m))P+ {—g{r, m)4>{r, m))G, m) = r. The signature schemes No. 3, 
4, 9, 10, can be deduced from this type. 

Type 5: Let {F,U,V,W) = (r — f{kG,m),g{r,m),(j){r,m),s). Then we obtain 
the signature (r, s) = {f{kG, m), —kg{r, m) — d(j>{r, m)). Its verification equation 
is f{{—sg~^{r,m))G+{—g{r,rn)(j){r,rn))P,m) = r. The signature schemes No.l, 
2, 7, 8 and NR-ECDSA can be deduced from this type. 

Type 6: Suppose F = r—f{kG, m) and U does not contain s, while V and W have 
s only as a factor, then we have the signature (r, s) = {f{kG,m),k/{dg{r,m) + 
4>{r,m)). Its verification equation is f{{sg{r,m))P + {s4>(r,m))G,m) = r. 

5 Security Analysis 

Generally speaking, the all methods used to solve the DLP can be employed to 
solve the ECDLP. The known possible attacks on ECDSA or its variants can be 
classified into four methods : Solving the ECDLP to get the signer’s per-message 
secret k or private key d, Attacking the employed hash function, Preimage secret 
attack , Forging the signature. 

The current known algorithms for solving the ECDLP mainly have: Naive 
exhaustive search, Pollig-Hellman algorithm , Pollard p-algorithm. Parallelized 
Pollard’s algorithm, Semaev-Smart-Satoh-Araki mothod , Weil pairing method 
and Weil descent method. To avoid these attacks, the basic field F, should not 
be a composite field. The elliptic curve E should not be a supersingular or 
prime- field-anomalous. The order of the basic point G should be a prime > 2^®*^. 

The attacks on the employed hash function can be avoided when it is chosen 
to be a both preimage resistant and collision resistant hash function. 

Per-message secret attack: If an attacker T knows a per-message secret k, then he 
can recover A’s private key d. Such as for Type 3, d = g{r,m)~^{—sk — 4>{r,m)). 
Suppose k is used to generate two signatures (ri,si) and (r 2 ,S 2 ) by Type 4, 
then Si = d~^{—kg{ri,mi) — (j){ri,mi)) and S 2 = d~^{—kg{r 2 , m 2 ) — ^(r 2 , m 2 )), 
and hence k = {g{r 2 ,m 2 )s\ — g{ri,mi)s 2 )~^{ 4 >{ri,mi)s 2 — </>(?" 2 , m 2 )si) since 
g{r 2 ,m 2 )s\ — g{ri,mi)s 2 = 0 with negligible probability. It follows that T re- 
covers d. 

If the signer A signs two messages mi and m 2 with the same d and k in two 
different signature schemes, say, the basic ECDSA and NR-ECDSA, then T can 
also recover k = (sir 2 — ri)~^ (r 2 h{mi) — riS 2 ) with overwhelming probability. 
Hence, the per-message secret k should not be used repeatedly . 

To avoid T’s finding k or d with non-negligible probability by factoring 
gcd{g{r,m),4>{r,m)) in Type 3 and Type 4, g{r,m) and 4>{r,m) had better be 
chosen so that gcd{g{r,m),(j){r,m)) = 1. 

In Type 5, if g(r, m) = m), then T can obtain k F d and then recover 

k or d with non-negligible probability if A: ± d is not large enough. 
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Forge the signature: To forge a signature on some message m, the forger F 
first randomly selects r G — 1}, and then tries to find s through 

the corresponding verification equation or vice versa. But F has to solve some 
ECDLP to get s. Such as in Type 5, F has to solve the ECDLP for s: 
sG = —g{r, m)Gr — 4>{r, m)P, where Gr G [G](a subgroup generated by G) and is 
totally determined by r or by both r and m. F can also choose two random values 
a, 6 g — 1}, and then constructs f, s and m to satisfy the correspond- 

ing verification equation. Such as in Type 4, F computes r = f{aG + b~^P, m), 
and then solve g{r, ffi) + sb = 0 and g{f, fh)a + 4>{f, m) = 0 for s and m. If the 
equations has a solution , then F successfully forges a signature (f, s) on m. But 
if the function g or <j) is chosen to be related to a cryptographic hash function, 
then the equations has a solution with negligible probability. 

6 Conclusion 

ECDSA can be viewed as the elliptic curve analogue of DSA. But its security is 
much stronger than DSA’s. Our general types of ECDSA give a lot of choices 
to generate the desired elliptic curve digital signatures. These general types can 
be modified to become general schemes of ECDSA with some special properties, 
such as general blind elliptic curve signature schemes. From these generalized 
elliptic curve signature schemes we can extract both efficient and secure variants 
for practical applications. 
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Abstract. We propose a framework for the analysis of delegation proto- 
cols. Our framework allows to analyse how accountability is transferred 
(or kept) by delegator when she transfers some of her rights to the dele- 
gate. The ability to trace how accountability is distributed among prin- 
cipals of a system is crucial in many transactions that have a legal value, 
because accountability is usually a prerequisite to guarantee other well 
known security properties (e.g., non repudiation). Our approach starts 
from the notion of “provability” to formalise accountability. Then, we 
introduce new specifications for the analysis of delegation protocols and 
the distribution of credentials necessary to exercise delegated rights. 



1 Introduction 

In many e-commerce applications, as in the real-life, electronic transactions must 
be able to guarantee at least the same degree of accountability provided by 
conventional transactions. For example, let us consider the case of a manager 
delegating her system administrator to backup her files containing important 
documents. In case something goes wrong and the documents will be unrecover- 
able, it would be useful for both, the manager and the system administrator, to 
have mechanisms that help them to prove to a third party their behaviour and 
doing so to determine accountability of facts. From this example it is clear the 
importance of the property of accountability that we define as: 

the property whereby the association of a principal with an object, an action 
or a right can be proved to a third party. 

This paper provides an original contribution to the problem of the analysis 
of protocols that requires accountability. Among all the protocols that require 
this property we will focus our attention to delegation protocols. This is mo- 
tivated by the fact that delegation is usually the general mechanism used to 
transfer accountabilities among principals. Besides a lot of work has been done 
on the analysis of protocols, but few of these analysis have considered delegation 
protocols. 
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2 Accountability 

For our analysis we start from a framework introduced by Kailar [4] specifically 
for analysing and describing accountability in order to analyse this property in 
delegation protocols. 

This framework is based on the notion of provability, that is the ability of 
participants in a protocol to prove a statement to a third party, that is the basis 
for accountability. A participant can prove a statement to any other principal if 
he can convince the latter about the statement. The proof of a statement x is 
generically defined as the ability starting from known assumptions, to produce 
a set of statements that can convince any other principal about x. In practice it 
is enough (and easier) to convince a particular third party (a judge) rather than 
all the other principals that did not participate to the protocol. 

We agree with Kailar that his approach is more suitable to analyse account- 
ability rather than other approaches based on belief [1] and its evolution within 
the protocol, because these approaches focus on what can be proved only by 
the participants of the protocol, while the point of view of external observers is 
essential to accountability. 

In this section, we provide a short review of the basics of the adopted frame- 
work, referring to [4] for a more detailed description. 

In section 2.4, we will introduce new postulates that allow to analyse dele- 
gation of accountability in communication protocols. 

Finally, in section 3, we will analyse two communication protocols with sup- 
port for delegation: the SPX protocol [7] and the Delegation of Accountability 
protocol [2]. Our analysis will show the usability of our approach. 

2.1 Symbols and Concepts 

In a generic communication protocol, we have a group of principals {A, B, ...), 
that exchange messages within each other. During the analysis of a protocol, we 
want to focus on the ability of principals to prove the origin of these messages. 
The statement made by each message is the message interpretation; statements 
are denoted by lower-case letters {x, y, ...). A proof oi a statement x is something 
that convinces another principal of statement x. We are not worrying about the 
steps of a proof, because they largely depend on the environment where the 
protocol is designed to work. 

Considering our definition of accountability we need to introduce objects, 
actions and rights into our language. We will denote a set of rights with a greek 
upper-case letter (C, A, ...). Observe that in the rest of the paper, the term right 
is used also to indicate an object (right to use a given object) or an action (right 
to do a given action). 

To improve the readability of the paper, we will avoid to introduce and use 
new mathematical symbols. Instead, we will use common phrases like “can prove” 
or “can exercise” written concatenated (i.e., “CanProve” or “CanExercise” ) . 
Moreover, we will introduce only concepts and postulates that are needed to 
understand the paper and the process of analysing a delegation protocol for 
proving the accountability property. Informal descriptions of these concepts are 
given below: 
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A CanProve x: Principal A can prove the statement x to any third party B. 
This implies that A is able to perform a sequence of operations that lead to 
prove statement cc to a principal B, whoever is B. This proof does not reveal 
any secret y ^ x. 

This is a Strong proof, because a principal A can prove the given statement 
to everyone. We talk about Weak proof if the ability of the prover permits 
to prove the given statement only to another principal. In this case, we can 
write “A CanProve x to i?”, where A and B are involved principals. In this 
paper we will use only strong proof. 

K Authenticates A: The key K can be used to authenticate the signature 
of principal A. As a consequence, we can associate A to any statement en- 
crypted with K~^. K and K~^ are public and private counterparts of an 
asymmetric key pair. 

a; in to: x is the interpretation of a (group of) field(s) in message to. This in- 
terpretation is protocol specific. 

A Says xi Principal A is responsible of statement x. In other words, A is ac- 
countable of X. As a consequence, A is accountable for every statement im- 
plied by X. Moreover, if A says any statement composed by two or more 
parts, she is accountable for each part: 

A Says (x, y) 

A Says x 

A Receives to SignedWith K~^: This tells that principal A receives a mes- 
sage TO signed with a private key K~^. If x is the message interpretation of 
TO (of the interpration of one of the fields of to), we can use the following 
postulate: 

A Receives to SignedWith K~^', x in m 
A Receives x SignedWith K~^ 

A isTrustedOn x: Principal A is trusted on statement x, i.e., A has the au- 
thority to endorse x and is liable for making x. If principal A is globally 
trusted, then A is trusted on x by all principals^. 

The following definitions of “CanExercise” appear for the first time in this paper. 

A CanExercise f2: This denotes the fact that principal A can exercise the 
rights listed in 17. In an access control environment, a principal can exercise 
a right under some requirements^. We use “CanExercise” only to associate 
principals to rights, in accordance to our definition of accountability. 

^ If a principal is trusted on a statement by only another (or a group of) principal(s), 
we use the notion of non global trustness. In this paper we will only talk about 
global trust, even if more loosely: principal A is trusted on x by all principals in the 
intended audience of a proof. 

^ For example, a principal can read/write the files of directory /Doc/Sec only if she 
belongs to the Security group. We are not concerning on aspects of how this re- 
quirements are checked or how this rights are assigned to principals by a system 
administrator. These aspects are strongly dependent on a given environment. 
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A CanExercise f2 with K: If we want to specify the authentication key that 
a principal uses to exercise her rights, we can use this statement. Here, a 
principal A CanExercise the set of rights f? using K as her authentication 
key. Of course, the statement “K Authenticates A” must be provable. 

2.2 Assumptions 

Some assumptions related to security constraints must be respected before val- 
idating analysis results. The digital signature scheme considered in this frame- 
work is public-key encryption paradigm based. Signature algorithms are assumed 
to be strong enough: (1) to be undisputably associated with a single user; (2) 
to resist against the search of another principal’s private key, independently 
by the available computing power, for a sufficient period of time; (3) to with- 
stand birthday attacks. Moreover, signature algorithms are assumed to provide 
message origin authentication, message content integrity and message sender 
non-repudiation. Finally, signature algorithms do not require the consent of the 
signer. 

Another important group of assumptions is related to Trustness: principals 
are trusted not to share their private keys with other principals with whom they 
do not wish to be accountable, i.e., we trust principals that use caution to share 
their keys. Moreover, a principal is assumed to trust a statement if she is an 
authority of the given statement, or if she is convinced on the validity of the 
statement by a trusted party. 

Other important assumptions are about message integrity, availability of ser- 
vices and certificate revocation. It is not possible to fake a signed message or 
to compute another private key that can be accepted as the authentic signature 
{message integrity); if A CanProve x, then we assume that, independently of the 
availability of the communication service, we can assure that A has the ability 
to send all the messages for proving x {availability of service); finally, statements 
proved by revoked public keys are considered valid only if the statements were 
signed when the related certificates were also valid {certificate revocation). 

2.3 Postulates 

Postulates introduced here are applicable to the analysis of accountability prop- 
erties in electronic communication protocols. All postulates are given in the 
form: 

P;Q 

R 

where P and Q are the premises of the rule: if they hold simultaneously, then 
the consequence statement R is true. 

Conjunction: If A can prove that x is true and she can also prove that also y 
is true, then A can prove that the conjunction x Ay is true. 



A CanProve x; A CanProve y 
A CanProve {x A y) 
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Inference: If A can prove statement x and if x implies y, then A can prove 
that y is true. 



Inf: 



A CanProve x;x ^ y 
A CanProve y 



Accountability property of digital signatures: The following postulate 
can be used to prove that principals are accountable for messages they signed. 



Sign: 



A Receives m SignedWith K x in m; 
A CanProve (K Authenticates B) 

A CanProve {B Says x) 



That is, when principal A receives a message m signed with a key K~^ and 
A can prove that this key belongs to B, as a consequence A can prove that 
B is accountable for any statement x, where x is a message interpretation 
of m. 

Trust relationships: In digital signatures schemas, a proof of a statement x 
can be given also by showing that x has been endorsed by a trusted authority 
of X, i.e., A is an authority on x and she says x. As a consequence, A can 
prove that x is true. This is based on what we said in section 2.2: if A is 
trusted on a given statement then is able to prove it to another principal. 
Morevover, if a principal A can prove that another principal is able to prove 
a statement x, then A can prove x. 

Trust postulate is a corollary of the previous considerations: 



Trust: 



A CanProve {B Says x); 

A CanProve {B isTrustedOn x) 
A CanProve x 



2.4 A Specification of the Framework: The CanExercise Postulates 

This section introduces the formalization of the concept of a principal that can 
exercise a right (or a set of rights). 

A principal can exercise a right if another principal gave her the related per- 
missions. These permissions can be given by a trusted authority (i.e., a system 
administrator), and can be delegated to another principal, whom, after delega- 
tion, can exercise the transferred rights. 

In a generic delegation, principal A can delegate another principal B to 
exercise the set of rights 17 only if A has the ability to exercise them. Moreover, 
A must be accountable for having delegated B to exercise 17, and, finally, B 
must be authenticated when she exercise 17. The following postulate formalizes 
these ideas: 



A CanExercise 17; 

A Says (delegation of 17 to R); 
{Kuei Authenticates B); 

el 



CauExercisel: 



B CanExercise 17 with K, 
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That is, principal A can exercise the set of rights 17 and she delegates B to 
exercise these rights. Key K^ei authenticates principal B: when B will exercise 
17, she will be authenticated using Koei- 

When we need only to describe the power of a principal to exercise a given 
set of rights, we can omit the specification of this key. The following postulate 
relates both ways to use “CanExercise” clause. 



CanExercise2: 



A CanExercise 17 with K 
A CanExercise 17 



In our analysis, we want to prove the accountability of a principal on a set of 
rights that have been delegated by another principal. In other words, the goal 
of such a proof is to show that: 

delegate CanProve {delegate CanExercise 17 with Koei) 
where is the delegation key of the given protocol. 

During analysis of delegation protocols, we will use postulates CanExer- 
cisel and CanExercise2 in conjunction with Inf postulates, in order to unify 
“CanProve” and “CanExercise”. 

Another important goal to verify during analysis of a delegation protocol 
is the ability for delegator to prove that she is not associated with delegate’s 
actions. When a set of rights 17 has been transferred from A to B and principal 
B is exercising 17 using delegation key Ku(,i, then principal A is not accountable 
for this B’s activity. This second generic goal can be formalized with the following 
statement: 

delegator CanProve {Kjjgi Authenticates delegate) 



3 Analysis of Delegation Protocols 

In this section, we show some examples of protocols analysis. In particular, we 
apply our analysis framework to SPX [7] and to the Delegation of Accountability 
protocol [2]. In these two analyses it will be possible to show the difference 
between two different delegation’s philosophies: SPX permits grantor to delegate 
grantee the possibility to act on grantor’s behave; in the other approach, grantor 
transfers the accountability on a set of rights of her own. 



3.1 SPX with Support for Delegation 

Protocol description. In SPX [7], principals use authentication tokens to au- 
thenticate each other. The authentication token permits the secure exchange of 
a session key. A simplified version of SPX is analysed in [4] in order to verify 
accountability properties. In this section, we summarize the content of the pre- 
vious analysis and we will show that this protocol doesn’t allow accountability 
on a set of transferred rights. 

Involved principals are: a claimant (C), a certificate distribution center 
(CDC), and a server (S). Moreover, we have also principals TAi and TA 2 , that, 
together with CDC, play the role of trusted authorities. 
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The goal of the protocol is for S to securely receive a delegation key from C. 
In this delegation context, principal C authorizes another principal (S') to act 
on her behalf by sharing a set of rights with C for a given period of time. The 
protocol is not designed for delegation of accountability, because the transferred 
rights will be still accountable to C. 

The protocol description is the following: 

1. C ^ CDC : S 

2. CDC ^ C : KcIc{Kt\^{S,Ks,TA^)) 

3. C ^ S : Kc\KDeuT),Ksi,Kaes),KdUKDli) 

4. S ^ CDC : C 

5. CDC ^ S : Kc],c{K^\^{C,Kc,TA^)) 

6. S — >■ C : Response (accept/reject) 

Server S plays the role of the verifier of the claimant’s credential. The protocol 
starts with the request of C for S’s public key (message 1). This request is send 
to the certificate distribution center, that replies (message 2) with a certificate 
of S, issued by the trusted authority TA^. This certificate is encrypted with 
CDC’s private key. C sends her delegation public key {Koei) to S (message 
3), signing it with her authentication key Kjjgi is valid for a period of 

time T. Moreover, C sends to S' a symmetric session key encrypted with 

S’s public key (Ks). C encrypts the private part of the delegation key with the 
session key Aides and she also sends it to S. Finally S asks for C’s certificate 
to CDC (message 4 and 5) and after receiving the certificate, S verifies C’s 
credentials and replies to C the response (message 6). 



Reformulating the Protocol. The protocol has been reformulated with the 
adopted notation by Kailar in [4]. We report here the protocol message inter- 
pretation described in the previous analysis. Only messages 2, 3 and 5 were 
considered relevant to the analysis: 

2. C Receives ( ( {Ks Authenticates S) 

SignedWith K^\^) SignedWith 

3. S Receives ( ( {K^ei Authenticates C during T) 

SignedWith 

5. S Receives ( ( {Kq Authenticates C) 

SignedWith K:^\^) SignedWith K^^^) 

Protocol Analysis. As we reminded at the beginning of this section, the del- 
egation goal pointed by the Kailar’s analysis was to verify the delegate’s ability 
of proving that the delegation key authenticates delegator. In other words, the 
goal of the analysis showed by Kailar was: 

[Goal] S CanProve {KdcI Authenticates C) 

Principal C can exercise the transferred set of rights, but S will still be account- 
able for them, because Kuei authenticates her. 

As we said in section 2.4, we wish to show that: C CanProve {Kjjgi Authen- 
ticates S), 

in order to give C the possibility to prove her independency by delegate’s actions. 
If we would be able to show the previous statement, it will be true together with 
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Goal statement proved by Kailar, meaning that Kuei authenticates both delega- 
tor and delegate. In this case, we lose accountability property. As a consequence, 
SPX protocol does not support delegation of accountability. 



3.2 The Delegation of Accountability Protocol 

Protocol description. The protocol [2] is based on delegation tokens (Gasser 
et al, Sollins [6], Low et al. [5]). 

It allows principals to delegate their own accountability to any other princi- 
pals. It assumes that each principal can generate public-key pairs and has access 
to a digital signature service. Moreover, it assumes that each principal can get 
the public key(s) needed to verify digital signatures that she may receive, in- 
cluded the keys used for authentication purposes. The delegation protocol is 
specified as follows: 

1. A — >■ B: A, B, m, AT((^(m) 

where m=[A wishes to delegate to B accountability for Q] 

2. B ^ A: B, A , m', A^^(m') 

m'=[B accepts 17 and she will exercise 17 using Kj^^i] 

3. A B: t = [A, B, m", Kj\m")] 
m"=[17, LS, KA,KDei] 

where A is the grantor, B is the grantee, 17 is the set of delegated rights and LS 
is the time span of delegation token t. (Ka,K^^) and {Kb^K^^) are respec- 
tively the authentication key pairs of grantor and grantee, is the 

delegation key pair that grantee will use to exercise 17. In message (3), a key 
rather than a name is used to identify the grantor so if an attacker succeeds to 
masquerade as the grantor he cannot fraudulently delegate grantor’s account- 
ability because he still does not know the key necessary to be able to do 
it. 

The grantor is the only one that can enable the grantee to use 17: the del- 
egation token contains m” , which specifies the characteristics of the present 
delegation, and also it contains m" signed by the grantor. When the grantee 
wishes to use the delegated rghts she must present [t, K'^h{t)] to the end-point, 
followed by the request of the specific service she wants^. The end-point will 
check the privileges carried in the delegation token against her access control 
policy. The end-point can be any principal of the system because the token is 
verifiable by all the components of the system"^. Thus all the principals can verify 
the correctness of the delegation token after they get the grantor’s and grantee’s 
public key from the authentication service in order to authenticate them in the 
first two messages of the protocol. 



Reformulating the Protocol. The protocol can be reformulated in terms of 
the described notation: 

® In such a framework, if grantee B is not necessarily honest and step 3 does not 
take place, she cannot exercise the delegated rights with only delegation key Knei 
because she misses the delegation token. 

^ We are assuming that an authentication service is available. 
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1. B Receives ( (A wishes to delegate to B accountability for 17) 

SignedWith 

2. A Receives ( {Koei Authenticates B) SignedWith 

3. B Receives ( (delegation of 17 to B') SignedWith 

Now we have to list the implicit assumptions and apply the inference rules of the 
adopted logic to the assumptions and to the messages of the protocol in order 
to prove our goal: the delegate is accountable to exercise transferred rights. 



Goal and Initial State Assumptions. Our primary goal is: 

[Goall] B CanProve {B CanExercise 17 with K]jf,i) 

Let us observe that, if we prove the goal, with the application of GanExercise2 
and Inf postulates, we can show the more general fact that: 

B CanProve {B CanExercise 17) 

We wish also to show that grantor is able to prove that the delegation key 
authenticates grantee: if B will exercise 17 using Koei, A cannot be accountable 
for this. As a consequence, the second goal of our analysis is: 

[Goal2] A CanProve {Koei Authenticates B ) 

The initial state assumptions follow here: 

[Al] A CanProve {K^ Authenticates A); 

[A2] B CanProve {Kb Authenticates B) 

[A2’] B CanProve {Kuei Authenticates B) 

[A3] B CanProve {A CanExercise 17) 

[A4] A CanProve {B isTrustedOn {KbcI Authenticates B) 

[A5] A CanProve {Kb Authenticates B) 

[A6] B CanProve {Ka Authenticates A) 

Assumptions Al, A2 and A2’ state that the association between principals and 
their public keys can be proved. 

Of course, we assume that B can prove that A is able to exercise the set 
of rights 17 (assumption A3). A is delegating B to exercise 17, but B must be 
convinced that A owns these rights. 

We assume also that principal B is trusted when announcing its own del- 
egation key, because she is responsible of the messages signed with this key 
(assumption A4). 

Finally, in the protocol we did not specify the part concerned with authen- 
tication of principals, because we are focusing on the delegation part. We can 
assume that the generic goals of a public key distribution protocol are reached 
before the delegation protocol starts (i.e., using a certificate distribution center, 
as in the SPX protocol). As a consequence, we can make assumptions A5 and 
A6. 



Analysis. Applying Sign postulate on message 3 and A6, we obtain: 

[51] B CanProve {A Says (delegation of 17 to B)) 

Using Gonj postulate on A3, SI and A2’, the following statement is true: 

[52] B CanProve {A CanExercise 17, 

A Says (delegation of 17 to R), 

KbcI Authenticates B) 
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Finally, we obtain Goall, using Inf and CanExercisel postulates on statement 

S2: 

[Goall] B CanProve (B CanExercise Q with Kuei) 

We can apply Sign postulate to message 2 and A5 assumption to show that: 
[S3] A CanProve {B Says Authenticates B)) 

Finally, Goal2 is inferred by Trust postulate using S3 and A4 as premises □. 

4 Conclusions 

Despite its importance in supporting any commercial and financial transaction, 
accountability has been usually negletted in the formalisation of protocols. Also, 
other important security properties (e.g., non-repudiation) rely on accountability 
and on the possibility to examine unforgeable evidence collected by the party 
during the execution of a transaction [3]. In this paper, we tried to raise the 
attention to this issue and in particular we introduced a framework to reason 
about accountability in the particular case of delegation protocols. Delegation 
protocols aim to perform the hand-over of rights from delegator to delegate. 
Our studies however, proved that many of them do not consider the important 
issue of the accountability associated to those rights. As we said, this lack of 
specification can vanish or jeopardise the subsequent use of the delegated rights 
in applications where accountability is required in case of possible disputes (i.e., 
electronic commerce). 
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Abstract. Binary images have only two colors, which makes the em- 
bedding of invisible data difficult. In this paper, we propose a new data 
hiding method that can hide a moderate amount of data in a host bi- 
nary image, such as binary cartoon images, scanned texts, signatures, 
without introducing noticeable artifacts. The proposed method employs 
subblock pattern classification to maintain visualization effect and me- 
chanics of multilevel supblock to improve the capacity. Extracting of the 
hidden data does not require the knowledge of the original image. The 
experiments demonstrate that the proposed method can provide excel- 
lent perceptual quality of the marked image. The potential applications 
include invisible annotation, alteration detection and covert communica- 
tion. 



1 Introduction 

With the huge success of the Internet, digitization of various kinds of media is 
getting wider popularity for the transmission, wide distribution and storage. The 
advantages of digital media include convenient transmission, effortless access, 
lossless copy, facile edit and reliable storage. However, they also introduce a new 
set of challenging problems regarding security, that are not able to be achieved 
only by encryption. The problems have generated a flurry of recent research 
activities in the area of digital watermark and data hiding. 

The study on digital watermark and data hiding has received great achieve- 
ments over last several years. Many different methods have been proposed for 
still image. They can be classified into two categories based on the casting do- 
main: 1) luminance intensity in the spatial domain [1,2], for instance, LSB (Least 
Significant Bit) approach and Patchwork method, and 2) transform coefficient 
magnitude in the frequency domain, which modify frequency coefficients after 
applying a proper transform [3, 4,5, 6], e.g. DWT, DCT, FFT, etc. The new tech- 
nique has a variety of potential applications involving digital media, including 
copyright protection, annotation, covert communication, and alteration detec- 
tion. 
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However, objectives of most of these methods are color images and grayscale 
images and will fail to apply to two-color images. As an important class of images, 
digital binary images are widely used in Internet. There is a significant difference 
between binary image and other natural images. That is, the binary images are 
only two colors images without complicated color and texture variation, and 
change a pixel can be easily detected. This peculiar characteristic makes it more 
difficult to embed invisible digital information in them. The only solutions known 
to us dealing with binary image are [7,8]. Wu[7] presented a data hiding scheme 
for binary images for the first time. It partitions the image into blocks, then 
tries to embed as many as one data bit in each block via AND operation with a 
secret key matrix whose size is the same as the blocks. However, the perceived 
quality is poor because it does not take into account the visualization effect. It 
introduces many isolated points near the boundaries, which causing noticeable 
artifacts. An improved method for higher security and capacity proposed by [8], 
but the visibility of marked image is still a problem, even poorer than [7] in some 
cases, since it may introduce isolated point in any location of the host image. 

This paper addresses to the visibility of marked image. We propose a multi- 
level supblock based data hiding method that can hide a moderate amount 
of data in the binary images, e.g. binary cartoon, scanned text, and signa- 
tures. The hidden data can be extracted without the original host image. The 
proposed method greatly outperforms the previous approaches in capability of 
transparency. The potential applications include invisible annotation, changes 
detection and covert communication. 

The paper is organized as follows. The description of the proposed scheme 
is presented in Sect. 2. Experimental results and analysis are given in Sect. 3. 
Finally, concluding remarks are provided in Sect. 4. 



2 Description of the Proposed Method 

As we mentioned, it is more difficult to embed a piece of critical data in binary 
images under constraint of the visibility, because there are only two elements 
in the pixel-value space of in binary images. How to maintain good perceptual 
quality comes to be the major problem. We have observed that whether a revised 
pixel is noticeable strongly depends on its neighbors. For instance, if a pixel 
in homochromous region changes to another color, the difference will be quite 
noticeable. And it will be hard to detect comparatively if some neighbors of 
the pixel have the same color as the pixel after modification. Therefore, during 
embedding, what kinds of pixels to alter should be determined according to 
conditions of its neighbors. 

Our method is motivated by the above observation. Its fundamental thought 
is summarized below. Firstly it partitions the host image into many blocks, 
then classify these blocks into different level. The high rank (or level number) 
represents good visual performance. Given a piece of critical data, our scheme 
will manage to embed the data in the blocks with highest rank. The ”0” and 
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”1” are respectively represented by a pair of blocks with only difference of the 
central pixel. 

To improve the capacity and insensibility, we introduce the concept of ’’sup- 
block”, which is composed of several base blocks overlaid with each other. Cor- 
respondingly, those base blocks with smaller size are called ’’subblock”. With 
mechanics of supblock, we can examine a local region by means of different 
combinations of pixels for more subblock patterns. 

The block diagram of embedding and extracting is shown in Fig. 1. 




Marked 

image 



Extracted 

data 



Fig. 1. The block diagram of embedding and extracting procedures 



2.1 Subblock Classification 

The objective of subblock classification is to overcome the perceptual quality 
reduction by pixel modification. In our approach, each subblock is connected with 
a level number (rank) according to its pattern, indicating influence on visibility 
by assumed change of the central pixel in the subblock. In other words, supposed 
that the central pixel in a subblock is changed, we consider the variation in 
connectivity and smoothness and investigate how the visibility effect reduces by 
such a change, then the rank is determined. The higher rank implies that change 
of central pixel in subblock reduces visual quality less and should has a higher 
priority for embedding. 

We take the 3-by-3 subblock as a sample, shown in Fig. 2. Whatever is the 
central pixel in subblocks, change of central pixel of subblock in Fig. 2(b) will 
obviously got less attention than that in Fig. 2(a). So that pattern of subblock in 
Fig. 2(b) has higher rank than Fig. 2(a). In this manner, we classify all the pat- 
terns into different level. There are 256 (2®) subblock patterns totally, exclusive 
of the central pixel. We denote the collection of patterns of rank n by A„. 

There are several approaches for embedding one bit data /i in a subblock B. 
We listed two of them below, where the central pixel of the subblock is denoted 
by c. 

a) Let c = h . 

b) Let c = (SUM(B 0 K) + h) mod 2 . 
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(a) 



(b) 



Fig. 2. Two patterns of 3-by-3 subblock with different rank. 



Where is a given matrix whose size is the same as the subblock B, ”©” 
is the bitwise exclusive-OR operator. And SUM{X) is the sum of all elements 
in matrix X. 

2.2 Mechanics of Supblock 

If we directly employ the simple scheme of partition of the image followed by 
examining level of subblock, subblock number of a certain level will be quite 
restricted, since the pixels of a pattern are often scattered in different subblocks. 
However, the simple scheme has never taken into account these patterns. To take 
advantage of the patterns whose pixels are distributed in multi-subblock, it is 
necessary to mend the simple scheme. In this paper we employ the mechanics 
of supblock. The supblock is larger than subblock, hence it contains more than 
one subblock, e.g. a 4-by-4 supblock contains four 3-by-3 subblocks, shown in 
Fig. 3, and the labeled numbers represent the pixel correspondence between the 
subblock and the supblock. 
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4x4 supblock 3x3 subblock 

Fig. 3. Illustration of supblock mechanics for top level. 



Suppose that we have a 4-by-4 supblock S, we denote the subblock of the 
supblock by Bi{S) (z = 1, 2, 3, 4). The subblock embeddable function En{S, k) of 
rank n is recursively defined as follows: 
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i) For k = 1, 



ii) For fc > 1, 






1 , 

0, else 



En{S, k) 



1, if Bk{S) G An and \/i < k,m > n, Em{S' ,i) ^ 1 
0, else 



( 1 ) 

(2) 



Where S' is the new supblock, supposed that central pixel in Bk{S) is always 
changed. 

The subblock embeddable function En{S, k) depicts whether the subblock 
of S is suitable for embedding at rank n. En{S,k)=l or 0 respectively means 
”yes” or ”no”. The subblock Bk{S) is n-level-embeddable if En{S,k) = 1. 

There may be more than one n-level-embeddable subblock in a supblock. For 
visibility effect, only one of them is picked for embedding. We define the supblock 
embeddable indicator function f{S,n) as 



f{S, n) 



M{k\En{S,k) = l}, if ^kEn{S,k)>l 
0 else 



( 3 ) 



The function f{S, n) describes that at rank n, whether the supblock is em- 
beddable, and if so, which subblock is selected for embedding. The supblock S 
is n-level-embeddable if f{S,n) > 0. 

We consider the sample shown in Fig. 3 for top level. In addition, we should 
define the pattern set of top level N . Here we let it be the collection of 
patterns similar to the pattern of Fig. 2(b). For the supblock shown in Fig. 3, we 
can obtain that EN{S,k) = 0 for A: = 1, 2, 4 and En{S,3) = 1, further, ^(S', iV) = 
3, meaning the 3’’'^ subblock (Fig. 3(3)) is suggested for embedding. 

The efficiency of supblock mechanics will be demonstrated in Sect. 3. 



2.3 Embedding and Extracting 

During the embedding procedure, the method will try to embed the critical 
data in the supblocks with high rank. At the same level, all the embeddable 
supblocks are permuted randomly based on a secret key before the embedding. 
The permutation has two advantages. First, it avoids selected supblocks cluster. 
Second, it also improves security. To summarize, the full procedure of embedding 
is as follows: 

1. Partition the binary image into supblocks with the same size, e.g. 4x4. 

2. Set Leue/=MAXRANK 

3. While Level > 0 and NOT finishing all critical data 

a) For each supblock Si that has not been marked, compute f {Si, Level) 

b) Perform the random permutation of the supblocks with f{Si, Level) > 0 

c) Embedding the critical data in the permutated supblocks, one supblock 
for one bit 
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d) If finishing the embedding, quit. 

e) Level •<— Level — 1 

The embedding of critical data is inverse procedure. It is not difficult to 
deduce the procedure of extraction. It is ignored here. 

3 Experimental Results and Analysis 

The experiments summarized below were all conducted with 4-by-4 supblock size 
and 3-by-3 subblock size, unless otherwise specified. Our experimental results 
presented are composed of three parts. The first is tests on our method. The 
comparison with other schemes is performed in the second part. And the last 
part is a demonstration on application of tampering detection. 



3.1 Tests on Our Methods 

We have conducted many tests on our method. It really achieves the excellent 
performance because of the unnoticed changes after embedding. Meanwhile, it 
has the moderate capacity. Some results are presented in Fig. 4. To embed 200 
bits in the host image with size 166 x 198, 105 pixels are changed, but the marked 
image differs very little from the original host image. The difference map between 
Fig. 4(a) and Fig. 4(b) is shown in Fig. 4(c). 




Fig. 4. Data hiding by our method, (a) the original host image with size 166 x 198, 
(b) the marked image after embedding 200 bits, (c) the difference map, indicated by 
black pixel (totally 105 pixels). 



As we mentioned earlier, the supblock mechanics can improves number of 
subblocks efficiently. We have performed the test on the supblock mechanics 
using 100 binary images of different sizes and different content. Some of the 
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statistical data are shown in Fig. 5. It indicates that after carrying out the sup- 
block mechanics, it achieves an increase of number of the embeddable subblocks 
with 20%-45% percent at different level, compared with using 3-by-3 subblocks 
directly. Figure 5 shows the comparison of four of the highest ranks. 




□ without using supbbck 
ED using supbbck 



top 4 lavsl 



Fig. 5. Efficiency of supblock mechanics. 



3.2 Comparison with Other Methods 

To compare with other methods, we have implemented the WU98 scheme [7] 
and the PANOO scheme [8]. We use the same blocks size as implementation in 
our scheme (that is 4-by-4) for WU98 scheme, and use 16 x 16 of block size for 
PANOO scheme since its advantage is exposed only when the block size is large. 
For fair comparison of images’ perceptual quality, size and content of the critical 
data are same for all of the three methods. 

One of the results is shown in Fig. 6. The host image size is 293-by-384 and 
the amount of the critical data is 480 bits. Obviously, PANOO scheme introduces 
image- wide ’’visual noise”, and WU98 also introduces ’’visual noise” near the 
boundaries. 

In both WU98 scheme and PANOO scheme, each pixel in a block is changeable. 
Without considering perceptual loss, they always introduce some isolated pixels, 
whose neighbors’ color is all opposite to its color. It reduces the image quality 
seriously. Contrarily, our approach achieves the superior performance compared 
with WU98 and PANOO schemes. 



3.3 Tampering Detection 

Because of ease to edit digital images, the authentication of these documents is 
becoming a great concern during recent years. The proposed scheme can be used 
for the purpose of tampering detection. 

Figure 7 shows a sample of the scanned text for alteration detection. The 
host image is the first page of the paper by Fabien A. P. Petitcolas etc. After 
embedding another binary image with 84 x 125 in the host image, we remove a 



Fig. 6. Comparison with other methods. The amount of hidden data is 480 bits, (a) 
the original host image with size 293 x 384, (b) the marked image by PANOO scheme 
with block size 16 x 16, (c) the marked image by WU98 scheme with block size 4x4, 
(d) the marked image by our method with supblock size 4x4 and subblock size 3x3. 
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radix point in the marked image. Figure 7(c) is the extracted data after alter- 
ation. Obviously, the extracted binary image is significantly different from the 
original binary image of panda logo. 



Information Hiding — A Survey 



FABIEK A, P. POHTCOLAS. ROSS J, ANDERSON. AND MARKUS G. KUHN 




I. iMRUDCCnON 

It is often ctiought tlitn comnumicaiions may he secured 
by CDCtyptiuglbe traffic, but this has rarely been adequate in 
practice. .Iireas the Tactician, and other classical writers, 
concentrated on methods for hiding messages rather than 
for cQcipbcring them [1], although modern cryptographic 
techniques started to deselop during the ftenaissanoe, we 
■find in 1641 that 'Wilkins still picferrcd hiding over ci- 
pbenng (2, ch. UC, p. 671 because it aiousiea lass suspicion. 
This preference persists in many operational contexts to this 
day. For caituplc. an encrypLcd o-mail message ‘betweeo a 
kiwiiTi drug dealer and somebody not yet under suspicion, 
or between an employee of a defence contractor and the 
embassy of a hostile power, has obvious implications. 

So tha study of communications security includes not 
just crerypnon hut also traffic security, whose essence 
lies in hiding irframation This discipline includes such 
technologies as; spread spcoiniffl radio, which is widely 
used ill tactical mililary systems to prevent IraiistiuUers 





being located; temporary mobile suhscriber identifiers, used 
iu digital phonos in provide users with some nicasun: of 
loaation privacy; and anonymous teniailets. which conceal 
the idemity of the sender of an e-mail message [?]. 

An iinportaiil subdiscipline of leronnation hidiug is 
sleganography. While cryptography is about protecting the 
content of messages, steganography is about concealing 

literally means “covered writing'' [151], and 
■h is usually interpreted 10 mean hiding information in other 
mfomialion. Examples include sending a message to a spy 
by marking certain letters in a newspaper using invisible 

ink, acd adding subpcrccptiblc echo at cenain places in 
an audio recording. 

Until recently, infomiation-hiding techniques received 
much less atteoiion from the rescaieh community and fiom 
industry than cryptography, but this is changing rapidly 
(Table I), and the first academic conference on the subject 
was orjpniicd in 1996 [4]. The mam driving force is 
concern over ccpyTight, as audio, video, and other works 
become available in digital form, the c.tse with which 
perfect copies can be made may lead to large-scale uuau- 
thoHTed copying, and this is of great concern to the music, 
film. honk, and soffwaio publishing indusincs. There has 
been significant recant research into digital “watemiarks’’ 
(hidden copyright messages) and “litigerpnnn" (hidden 
serial numbers), the idvra is that the latter can help to idcnhfy 
copyright violators, aryl the former te picsecule tbeiit 

In another development, the DVD consoitmm has called 
tor proposals for a copyright marking scheme to enforce 
serial copy management. The idea is that DVD players 
available to consumers would allow unlimited copying of 
home videos and time-shifted viewing of TV programs 
hut could not easily be abused for commercial piracy. 
The proposal is that home videos would he unmarked, 
TV broadcasts marked “copy once only.” and cnmnnercial 
videos marked “never copy"; compliant consumer equip- 
ment would act on these marks in Iba obvious way [61, |’l. 
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Fig. 7. Alteration detection for scanned text, (a) the marked image with size 1048 x 
1380, after embedding 10,500 bits, (b) removing the radix point in the marked image, 
(c) the critical data (panda logo with size 84 x 125), (d) the extracted critical data 
after alteration. 
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4 Conclusion 

This paper proposes a new data hiding algorithm for two-color images. The 
main idea is to use subblock pattern classification and supblock mechanics to 
select the pixels with least visual quality reduction for embedding. Analysis and 
experimental results both show that the proposed method can provide the supe- 
rior performance and greatly outperforms the previous approaches in visibility 
transparency. It can applied to tampering detection, invisible annotation, and 
convert communication. 
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Abstract. We develop an efficient identification scheme based on 
Cramer-Shoup test function. The scheme is provably secure against reset 
attack under post-processing model provided the hardness assumption of 
the decisional Diffie-Hellman problem as well as the existence of collision 
free hash functions. 



1 Introduction 

Smart cards have been used extensively in practice, e.g., in user access con- 
trol and secure electronic commerce. Since a smart card is no more than some 
electronic device embedded with a desired chip capable for processing private 
information, it is vulnerable to the reset attack. We remark that the reset attack 
is a real security concern since a malicious user can simply disconnect its bat- 
tery so as to reset its content to the initial state and then re-insert the battery 
and use it with that state a number of times if the smart card is available to 
the malicious users, e.g., in the cases that a smart card is lost or is stolen. The 
above attack has been discussed by Canetti, Goldwasser, Goldreich and Micali 
in [4] . Based on their simple observations, an interesting question is suggested in 
[4] that if an adversary is able to run several identification protocols in the role 
of a verifier with the same prover, each time being able to reset the prover to the 
same internal statement including the same random tape, can now the adversary 
learn enough to impersonate the prover later on? The answer is that any identi- 
fication protocol based on zero-knowledge proof system is not secure under this 
attack since the knowledge can be extracted by resetting the random tape of the 
identification protocol polynomial number of times [4,1]. Unfortunately, the ex- 
tensively used identification protocols, e.g., Fiat-Shamir’s identification scheme 
[7], Schnorr’s identification [10] are based on zero-knowledge proof paradigm. 
Hence the identification protocols mentioned above are insecure under the reset 
attack. It follows the reset attack is a very dangerous attack if the identification 
protocol equipped in the stolen smart card is based on zero-knowledge proof 
paradigm. 
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1.1 Related Works 

The pioneer works related to resettable identification protocols are due to 
Canetti, Goldwasser, Goldreich and Micali [4]. They provide an identification 
protocol secure against reset attack in the public key model. However this scheme 
suffers from inefficiency in practice. Later Bellare, Goldwasser and Micali [1], 
have developed three identification protocols. The first two identification schemes 
are based on cryptographic primitives (Public key encryption scheme and state- 
less signature scheme, respectively) while the third protocol is based on the 
membership in NP languages of [4], which still suffers from inefficiency. It is an 
interesting problem if we are able to construct efficient identification protocols se- 
cure against reset attacks based on the standard intractability assumption such 
as the decisional Diffie-Hellman assumption rather than cryptographic primi- 
tives such as a public key encryption scheme or a digital signature scheme. The 
adversary’s model in [1], allowing the reset attack in concurrent setting, is the 
strongest model for identification protocols considered to date. Two types of the 
resettable attacks: concurrent-reset- 1 (GRl) and concurrent-reset-2 (GR2), are 
distinguished in their notable report [1] . In the GRI setting, the adversary ( say 
Vicky ) may concurrently run many identification protocols with the prover (say 
Alice), resetting Alice to the initial state and interleaving the executions and 
hoping to learn enough to be able to impersonate Alice in a future time. Later 
Vicky will try to impersonate Alice. In the GR2 setting, while Vicky trying im- 
personation Alice, may concurrently run many identification protocols with the 
honest prover Alice, resetting Alice to the initial state and interleaving the exe- 
cutions. Notice that the GRl attack is the special case of the GR2 attack, Hence 
if a identification protocol is secure in the GR2 setting then it is also secure 
in the GRl setting. Finally Bellare, Goldwasser and Micali [1] have developed 
three identification protocols. The first two identification schemes are based on 
cryptographic primitives (Public key encryption scheme and stateless signature 
scheme, respectively) while the third protocol is based on the membership in NP 
languages of [4], which still suffers from inefficiency. 



1.2 Our Contributions 

We are interested in the construction of efficient identification protocols secure 
against the reset attack under the standard intractability assumptions. In this 
report we are able to develop such an efficient identification protocol provided 
the assumption of the hardness of the decisional Diffie-Hellman problem as well 
as the existence of collision free hash functions. Our work is not trivial since 
the identification protocol is NOT based on any security provable cryptographic 
primitives, e.g., a public key encryption scheme or a digital signature scheme. 
Hence our method differs from Bellare, Goldwasser and Micali’s. Furthermore 
the identification protocol presented in this report is more efficient than that 
presented in [1] and [4]. 
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2 Models and Definitions 

Our identification protocol is a 3-move protocol. MSGi is the first message 
indicating beginning of the execution of the protocol while MSG 3 is the final 
message. There are four participants: a trusted third part, a prover, a verifier 
and an adversary in our identification model. A trusted third part is off-line and 
it issues a legitimate certificate for a new user instance at initial registration. 
We adopt Bellare, Goldwasser and Micali’s model and distinguish adversary’s 
ability by considering two models of the attacks. In the pre-processing model, 
the adversary is given access to the prover’s oracle before the challenge message 
MSG 2 is given. However the adversary is permitted to access the prover’s oracle 
in the post-processing model even after the challenge message MSG 2 is given. 
The differences between the two models are explained in details below. 

2.1 Pre-processing Model 

The prover sends the first and the last messages. At the end of interaction with 
the prover, the verifier outputs a decision, which is either accept or reject. Se- 
curity definition of the identification protocol under the pre-processing model is 
similar with the pre-processing (IND-CCAl) setting of Naor and Yung’s [8]. In 
the pre-processing model, an adversary’s action is divided into two phases: in the 
first phase, the adversary interacts with the honest prover instance, not being 
allowed to interact with the verifier and tries to find the desired help information 
which will be used in the second phase. In the second phase, the challenge mes- 
sage is given, the access to the prover instance is denied. The adversary tries to to 
convince the verifier to accept the response message. The adversary, Vicky wins 
the game if she can make the honest verifier accept the response message. The 
adversary’s advantage is defined by Adv{Pre—processing)=PT:\Win = true]. We 
say an identification protocol is secure against reset attack in the pre-processing 
model if Adv{Pre — processing) is negligible. 

2.2 Post-processing Model 

Security definition under the post-processing model is similar with the definition 
of post-processing (IND-CCA2) setting of Rackoff and Simon’s [9] . The prover, 
Alice sends MSGi={GertA, a) indicating the beginning of the protocol, where 
Cert A is the certificate of her public key while a is a random string chosen 
from Z*. Then the honest verifier generates a challenge message known to the 
adversary. In the post-processing model, the adversary is given access to the 
prover’s oracle even after the challenge message is given. Since the adversary 
can set Man-In-The-Middle attack between the honest verifier and the honest 
prover, relaying the message back and forth until the honest verifier accepts, 
we should carefully define the security of the identification protocol under post- 
processing model. Fortunately, with the help of the notions called session id 
suggested by Bellare and Rogaway [3], we can define what the adversary wins 
the game. We say the adversary wins the game if the honest verifier accepts the 
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response message, which is provided by the adversary and the adversary holds 
the session id, which is different from that shared between the honest prover 
and the honest verifier. The advantage of the adversary is defined as Adv(Post- 
processing) = Pr[Win=true]. An identification protocol is said secure against the 
reset attack in the post-processing model if Adv(Post-processing) is negligible. 
By definitions, one knows that an identification protocol is secure against reset 
attack under post-processing model then it is also secure against reset under 
pre-processing model. 

2.3 Security Assumptions 

The aim of this work is to design an efficient identification protocol secure 
against reset attack under post-processing model. The proof of security is 
based on the hardness assumption of the decisional Diffie-Hellman as well as 
the existence of collision free hash functions. We state the assumptions as follows: 

Decisional DifRe- Heilman assumption. Let G be a large cyclic group of 
prime order q. We consider the following two distributions: 

— The distribution R'^ of random quadruple {gi, g2,ui,U2) G G'^, where 
9i,92,ui and U2 are uniformly distributed in G^. 

— The distribution D'^ of quadruples {91, 92,Ui,U2) G G^, where gi and 52 are 
uniformly distributed in G^ whilst ui = g{ and U2 = 92 for an r uniformly 
distributed in Zq. 

An algorithm that solves the quadruple decisional Diffie-Hellman problem 
is a statistical test that can efficiently distinguish these two distributions. The 
decisional Diffie-Hellman assumption means that there is no such a polynomial 
statistical test. This assumption is believed to be true for many cyclic groups, 
such as the prime sub-group of the multiplicative group of finite fields. 

Computational Diffie-Hellman assumption. Let G be a large cyclic 
group of prime order q. Let x,y € Zq be two random variables. Given (g, g^,g^), 
it is assumed a hard problem to compute g^^ . 

Collision-free hash function. A hash function is called collision free if it 
is difficult to find a pair {x,y) so that H{x) = H{y); 

Cramer-Shoup encryption scheme[5]: Since the proof of security of the 
identification scheme is related to the non-malleable property of the Cramer- 
Shoup encryption scheme, we sketch the Cramer-Shoup encryption scheme as 
follows: 

— Key generation: Let G be a sub-group of prime order q. Random chosen 
xi,X2,yi,y2, z G Zq and computes c = gi^g^^, d = gf^g^^ and h = gf. The 
private key is {xi,X2,yi-,y2, z) and the public key is (gi,g2,c,d,H), where 
H is a collision free hash function; 
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— Encryption: To encrypt a message m € G, it computes ui = g\, U2 = 521 

e = mh^, a = H{u\,U2,e), v = The cipher-text is (ui,U2, e,v). 

— Decryption: Given a putative cipher (ui,U2,e,v), it computes a = 

H{ui,U2, e), and tests if = v, if this condition does not hold, 

the decryption algorithm outputs reject; Otherwise, it outputs m = e/u\. 

We call the function = v, Cramer-Shoup’s test function. The 

Cramer-Shoup encryption scheme is proved to be secure against adaptive chosen 
cipher-text attack. That is the scheme is non-malleable under the adaptive cho- 
sen cipher-text attack model. In a typical implementation, we choose the group 
G with large prime order q such that (p — 1) = 2 q. The decryption oracle should 
test properly encoding of t6i , U2 and must check that u{ = 1 and u® = 1 so as to 
ensure that ui,U2 G G. This remark also fits for the protocols presented in this 
report. 



3 Identification Scheme Provably Secure under 
Post-processing Model 

The fact that any identification scheme is secure against reset attack under 
post-processing model implies that the scheme is secure against reset under pre- 
processing model. Hence it is sufficient for us to develop some efficient identifi- 
cation scheme provably secure against reset attack in the post-processing model. 



3.1 Description of Identification Protocol 

Key generation: we choose two large primes p and q such that p = 2 q — 1 . 
Let G(one can regard as Zg ) be a group with prime order q. Let 51,52 be two 
random generators of G. The private key is (xi, X2, 51, 52)- The public key is 
(c = 5*^52^, c? = and H (a collision free hash function). 

— Alice sends MSG\ = (GertA,a) indicating the start of the session, where 
GertA is the certificate of her public key while a is a random string chosen 
from Z*; 

— Bob chooses r € Zg and b G Zg a,t random and computes u\ := g{, U2 ■= 52, 

a = H{ui,U2,k) and U3 := where k = a&modp. Finally he 

sends the challenge message MSG2 ■= {ui,U2,us,k) to Alice; 

— Upon receiving the challenge message MSG2 '■= (mi, M2, W3, fc), Alice com- 
putes a = H{ui,U 2, k) and v := ■ Finally, she checks whether 

H{a,k/a,v) = M3. If the challenge message is valid then she sends the re- 
sponse MSG3 := H{H{a,v),H{k/a,v),H{k,v)) to Bob; Otherwise she re- 
jects. 

— Bob accepts Alice’s response message MSGz if and only if 

MSG3 = H{H{a, v),H{b, v),H{k, v)). The session id of the game is Sid := 
{a,b). 
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3.2 Security Analysis 

In this section, we want to prove the protocol is secure against reset attack 
under the post-processing model. We state the attack as follows: given the first 
message MSGi = {Cert a, a), where a £ Z*, and the second challenge message 
MSG2 = {ui,U2,U3,k) provided by the honest verifier, the adversary chooses 
a challenge message MSG'2 different from the target challenge message MSG2 
= {ui,U2,U3,k), then uses the honest prover as the oracle trying to get useful 
information. Finally the adversary try impersonating Alice as a legal user. We 
consider the following three cases of the MSG'2 queried by the adversary. 

Cramer-Shoup encryption simulator. We add another public key 
h{h = gi) into the key generation protocol of the identification scheme 
described above. If the MSG2= {ui,U2,us, k) is a valid challenge message then 
the prover sends back the response message MSGz and outputs the dear-text 
m = k/u\ later. We call this modified identification scheme Cramer-Shoup 
encryption simulator. Since k £ G is chosen at random, we can view fc is a 
mask of some message m { k = mh'’). It is clear that the simulator is equivalent 
to the actual Cramer-Shoup encryption scheme [5]. Hence the simulator is 
non-malleable under adaptive chosen cipher-text attack. 

Lemma 1. [5] If {gi, g2,ui,U2) comes from the random quadruple in the 
Cramer-Shoup simulator, then the probability that the adversary can compute 
the challenge message v = is negligible, where A: is a random 

string and a = H{u\,U2,k). In other words, all queries to the prover oracle 
must come from Diffie-Hellman quadruple. 

Lemma 2. [5] There is no information leakage if {gi, g2,ui,U2) comes from 
the Diffie-Hellman quadruple in the Cramer-Shoup simulator. 

Case 1-Prover Oracle Query 

Case 1.1: Given MSG2 = {ui,U2,U3, k), which is provided by the honest 
verifier, suppose the adversary provides an input to the prover’s oracle with 
the form MSG'2={ui,U2,u'^, k). Since H is assumed to be a collision free hash 
function, it follows the adversary is able to compute with non-negligible 

probability. That is given ui, U2 and u = cdS , the adversary is able to compute 
(f (]ra. jjowever this contradicts the computational Diffie-Hellman problem. 
Hence the case 1.1 is negligible. 

Case 1.2: Given MSG2 = {ui,U2,U3, k), which is provided by the honest 
verifier, suppose the adversary provides an input to the prover’s oracle with 
the form MSG'2={ui,U2,u'^,k'), where k' yf k. We want to show that the 
probability that the adversary can compute Ug such that Ug = H{a,b,d'<r°‘) 
is negligible. Since H is assumed to be a collision free hash function, it follows 
the adversary is able to compute with non-negligible probability. That 
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is the adversary is able to compute a valid mask k' of message m' {k' = m'h^) 
such that m/m' = k/k' with non-negligible probability. This contradicts the 
non-malleable property of the Cramer-Shoup encryption scheme [5]. Hence the 
easel. 2 is negligible. 

Case 2-Prover Oracle Query 

Case 2.1: Given the challenge message MSG2 = {ui,U2,us,k) generated 
by the honest verifier Bob, the adversary tries to query the prover oracle 
message with the form MSG'2 = (m'i, M3, fc). By Lemma 1, we know that 

(51, 52, U2) must come from Diffie-Hellman quadruple. Suppose the adversary 

knows the exact value r' such that u'^ = g\ and u'2 = 92 ■ Then there is no 
information leaked according to Lemma 2. That is the adversary obtains no 
useful information from the current conversation. 

Case 2.2: We consider the case that the adversary does not know the exact 
value r' such that u'^ = g\ and u'2 = 92 ■ Since any r' € Zq can be written as 
the form r' = rfi + /2 ( for some /i,/2 G Zq ), we set u'^ = g^ = u{' g(^ = 
gGi+h — gV _ where /i,/2 G Zq are strings chosen 

by the adversary. Since H is assumed to be collision free hash function, it 
follows the adversary is able to compute d' dT “ with non-negligible probability 
by assumption. By the Cramer and Shoup encryption simulator, we can view k 
the valid mask of the message m such that k = mh'’ and also the valid mask 
of the message m' such that k = m'h'' . It follows the adversary can compute 
the valid cipher-text of message m' with the relationship k = m'{k/m)^^h^^ 
with non-negligible probability, where fi , /2 are random strings chosen by the 
adversary. This contradicts the non-malleable property of the Cramer-Shoup 
encryption simulator. Hence the case 2.2 is negligible. 

Case 3-Prover Oracle Query 

Case 3.1: Given the challenge message MSG2 = {ui,U2,us,k) generated 
by the honest verifier Bob, the adversary tries to provide the input to the 
prover oracle with the form MSG'2=(u'i, u'2,u'^,k'). By Lemma 1, we know that 
{gi, g2,u'i,u'2) must come from Diffie-Hellman quadruple. Suppose that the 
adversary knows the exactly value r' such that u'l = g\ and u'2 = 92 ■ Then 
there is no information leaked according to Lemma 2. Hence the case 3.1 is 
negligible. 

Case 3.2: We consider the case that the adversary does not know the 
exact value r' such that u'^ = g\ and u'2 = 92 ■ In this setting, we set 
u'l = u{^g('^ and u'2 = u^'g^^, where /i,/2 G Zq are two strings chosen by the 
adversary. Since H is assumed to be a collision free hash function, it follows 
the adversary is able to compute d’ cT “ with non-negligible probability by 
the assumption. By the Cramer-Shoup simulator, we can view /c as a valid 
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message m such that k = mh^ and k' be a valid mask of m! such that 
k' = m'h^ respectively. It follows that the adversary is able to compute a 
valid mask k' of message m' {k' = m'h^ ) such that k' =m! {k/m)^^h^'^ with 
non-negligible probability, where k = mhT . This contradicts the non-malleable 
property of Cramer-Shoup encryption simulator. Hence the case 3.2 is negligible. 

The above argument implies that there is no information leaked even in the 
post-processing model. Hence we have the following statement. 

Main result. The protocol described above is secure against reset attack 
under post-processing model provided the assumption of hardness of decisional 
Diffie-Hellman problem as well as the collision free hash assumption. 



4 Conclusions 

We have developed a new identification protocol secure against reset attack under 
post-processing model. Security proof is based on the hardness assumption of 
decisional Diffie-Hellman problem as well as the existence of collision free hash 
assumption. Since there is no random type involved in a prover instance, the 
reset attack does not work in our protocol. Our work is not trivial since the 
identification protocol is not based on any cryptographic primitives, e.g., public 
key encryption scheme, digital signature scheme, which is different from the 
pioneer works of Bellare, Goldwasser and Micali. And our identification protocol 
is more efficient than that presented in [1] as well as that presented in [4]. 
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Abstract. Internet Key Exchange (IKE) is the default automated key 
management protocol selected for use with Internet Protocol Security protocol. 
The IKE has been implemented a lot but it has been critized whole the time. 
The scalability of the IKE is a question to be analyzed more seriously and that 
is the main issue of this paper. This paper presents estimations on the effort of 
the IKE negotiation using two different cases. The estimation is done 
theoretically but there are also concrete packet sizes and transmission times 
counted. The estimation introduces a scenario where a user needs a secure 
connection to some application server. 



1. Introduction 

The default automated key management protocol selected for use with IPSec is the 
Internet Key Exchange (IKE) under the IPSec Domain of Interpretation (DOI). The 
major function of the IKE is the establishment and maintenance of Security 
Associations. A Security Association (SA) is a relationship between two or more 
entities that describes how the entities will utilize security services to communicate 
securely [1, 2]. This relationship is represented by a set of information that can be 
considered a contract between the entities. 

This paper aims to discuss the scalability of the Internet Key Exchange (IKE) 
protocol using the IKE main mode [1]. In this scenario, the main focus is on users, 
who wish to connect to the services in the Internet. All of these users possess such 
IKE solutions that support the use of trusted third parties for the key exchange. The 
three elements of this research are: 

• Users, 

• Application servers, 

• Trusted third parties. 

The users require for secured connections and burden the network with dense 
negotiations. A trusted third party [2] is one type of the service providers in the 
Internet, because it offers key management and distribution services. The trusted third 
party can be a certificate authority that provides information of the certificated entities 
[2] and stores the public keys. Alternatively, the trusted third party can be simply a 
key distribution center. 

Nowadays, the connection to the Internet can be established in many ways. In this 
research, the users have a connection to the Internet through either a mobile 
connection or a PC connection. 
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Another important aspect of this research is the application server. A user that 
requires a secure connection to a server is a topic that is studied and the effort of the 
corresponding negotiation is estimated. The application servers that are concerned 
within this research are servers providing WWW-services and email servers. 

As the number of the communicating parties raises and the use of the Internet 
applications becomes more common the traffic jams become evident. The 
accessibility of the services weakens, which causes communications to delay or break 
down. Some protocols do not work well in such circumstances, which indicate the 
lack of scalability. This paper discusses the scalability within IKE protocol 
framework. 



2. The Network 

This paper uses a hypothetical communication network that contains N (Ae Z, where 
Z is the set of integers) different users. These users can be gathered under K (Kg Z, 
\<K<N) different user profiles, which are separated by the security level. The 
Internet usage can indicate either the use of email services or the use of World Wide 
Web (WWW) resources. The security level of a user is derived from the encryption 
level and the properties of the exchanged keys. The key lengths are set within each 
user profile and they can vary significantly among the different user profiles. The 
users are denoted by L(., for / = 1,..., N. 



2.1. About the Users 

The user can be either a mobile user or a PC user, or something completely different. 
However, only the mobile and PC users are essential in this study. It can be estimated 
that almost 80 % of the users have a PC connection. Estimated 20 % of the users are 
mobile users, who possess a normal GSM connection with a speed of 9.6 kbit/s. 
However, the concrete speed of the GSM communication may be only 6 kbit/s [7]. 
Correspondingly, the theoretical maximum speed of a GPRS connection is 171,2 
kbit/s but the concrete speed currently is only 10-40 kbit/s [7]. 



2.2. The Resource Allocation 

The amount of key exchanges occurring within an hour is essential, because it can 
provide information of the network resource allocation. An example could be that a 
web-user initiates 15-30 key exchanges during an hour. Respectively, the email user 
can initiate 1-3 key exchanges in an hour. The amount of the initiations can be 
presented on two-dimensional figures using e.g. histogram presentations. 

As the transport speed is dependent on the user profile, the different user profiles 
end up with separate levels for the network resource allocation. The mobile users tend 
to allocate the resources for longer, because the transport speed is low. For a PC user, 
the speed of the key exchange is naturally significantly higher. 
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Another important difference is that the WWW users perform more frequent key 
exchanges, which causes severe allocation for the network resources. It is a coherent 
research problem to determine which is the allocation level for each situation. 



2.3. Trusted Third Parties 

A trusted third party (TTP) is not an unambiguous entity, because the trustworthiness 
of it is not for sure or solid. The trust placed on the trusted third party varies with the 
way it is used, and hence motivates the following classification [5]. 

• A TTP is called unconditionally trusted if it is trusted on all matters. For example, 
it may have access to the secret and private keys of users, as well as be charged 
with the association of public keys to identifiers. 

• A TTP is called functionally trusted if the entity is assumed to be honest and fair 
but it does not have access to the secret or private keys of users. 

The basic function of a functionally trusted TTP can be to act as a key distribution 
center, which delivers the public keys for non-critical communications. A functionally 
trusted TTP could be used to register or certify users and contents of documents or as 
a judge [5]. Usually, the functionally trusted third party is guaranteed by some other 
trusted third party, unconditionally or functionally trusted. This leads to the chain of 
trust, which is a very useful framework within the authorities. 



3. The Protocol Framework 

The IKE protocol is the answer from the IPSec group to protocol negotiation and key 
exchange through the Internet [6]. It provides a way to agree on which protocols, 
algorithms and keys to use. Secondly, it provides a way to ensure from the beginning 
of the exchange that you are talking to whom you think you are talking to. Also, it 
enables to manage the keys after they have been generated and agreed upon. As IKE 
is a hybrid protocol, it combines parts of Oakley and parts of SKEME with the 
Internet Security Association and Key Management Protocol (ISAKMP), to negotiate, 
and derive keying material for Security Associations in a secure and authenticated 
manner [4]. 

ISAKMP allows the creation of exchanges for the establishment of Security 
Associations and keying material. An ISAKMP message consists of an ISAKMP 
header and some payloads. The appropriate fields and parameters are explained in [2]. 

In the current specifications, ISAKMP has five default exchange types defined [4]. 
This research is going to focus on the Identity Protection Exchange, which is the most 
common exchange mode. The elements of the Identity Protection Exchange are 
presented in Table 1 below. The notations are defined as follows: I indicates the 
initiator, R indicates the responder and * indicates payload encryption after the 
ISAKMP header. 
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Table 1. The messages in the Identity Protection Exchange. 



Identity Protection Exchange 




(1)1 


SA 


(2)R^I 


SA 


(3)1 ^R 


KE; NONCE 


(4)R^I 


KE; NONCE 


(5)*I^R 


ID(I); AUTH 


(6)*R^I 


ID(R); AUTH 



The Identity Protection Exchange is designed to separate the key exchange 
information from the identity and authentication related information. It provides 
protection of the communicating identities at the expense of additional messages. 

There are two phases in IKE functions. In phase one, two peers establish an IKE 
SA, which is a secure channel through which the IPSec SA negotiation can take place. 
In phase two, these two peers negotiate the actual IPSec Security Associations. 

Within the Oakley, a basic method to establish an authenticated key exchange is to 
use Main Mode, which is an instantiation of the Identity Protection Exchange [4]. 
Both Main Mode and Quick Mode do SA negotiation. The phase one uses Main Mode 
as the Quick Mode is reserved for the phase two negotiations. During SA negotiation, 
initiator present offers for potential SAs to responder. Responder must not modify 
attributes of any offer [4]. 

The four different authentication methods that are allowed within phase 1 are 
digital signatures, two forms of authentication with public key encryption, or pre- 
shared key [4]. 



3.1. About the Scalability 

Public key cryptography is the most flexible, scalable, and efficient way for users to 
obtain the shared secrets and session keys needed to support the interoperation 
between the Internet users [8]. Certificates can bind a specific identity of an entity to 
its public keys and possibly other security-related information. However, the 
certificates require an infrastructure for generation, verification, revocation, 
management and distribution. Also, authentication based on digital signatures requires 
a trusted third party or certificate authority to create, sign and properly distribute 
certificates. 

The IKE framework does not mandate a specific signature algorithm or certificate 
authority (CA). The framework has two payloads for the certificate purposes. The 
Certificate payload provides a means to transport certificates or other certificate- 
related information and can appear in any ISAKMP message. Correspondingly, the 
Certificate Request payload provides a means to request certificates via ISAKMP and 
can appear in any message. 

The use of pre-shared keys is not scalable within large user groups because it 
requires external key delivery methods. The expanded use of certificates could 
increase the scalability of IKE as the public keys could be delivered within the 
certificate payloads. The need for external delivery messages could be reduced even 
though the size of the IKE messages would be increased. The certificates require 
verification mechanisms with the corresponding CAs but that is another issue and 
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outside the scope of this paper. Other ways to increase the scalability could be the use 
of cross certification between the CAs or the growth of the public key amount and 
overall availability. 



4, Case Studies 

Let us consider a situation that user U, wants to send a secured message to another 
user Uj, where 1 </, j<Aand j. The users do not share each other’s public keys 
and it is possible that they have never been communicating before. The user sends 
a message to the nearest trusted third party and requires the public key of the user f/.. 
After successful retrieval of the key, the user f/ can begin the IKE negotiation with 
the user U. by sending the initiating message. Similarly, the user t/. must contact the 
trusted third party for the public key of the to be able to respond. 

For the IKE SA, both users need to send three separate messages as defined in 
Table 1 above. The effort of the communication during the phase one is 

[f/J + [U.] = 3 + 3 = 6 (1) 

messages. In the phase two the initiator 1/ sends two messages and the responder C/ 
replies with one, which can be formulated as = 3. The phase two 

negotiations happen frequently, because the IPSec SA does not have a long lifetime 
and it must be recreated. The lifetime of the IKE SA is longer; so one single IKE SA 
can be derived to multiple IPSec SAs. In addition to that, the IPSec SA is 
unidirectional so the parties usually must accomplish two times the phase two 
negotiation. 

4.1. Case 1: Fixed Application Profile 

In the fixed application profile, users and the network are gathered under strict pre- 
conditions. From the basic elements, this case involves the users and the trusted third 
parties, since the case considers only users communicating with each other. The users 
are assumed to be similar by their connection requirements and types. 

The most interesting variables here are the number of the users (N) and the link 
capacity C for each link, where the scale is 0< C< 100, Mg Z is the number of the 
TTPs, and the number of the links G [0, N+M\. The maximum value of the link 
capacity is 100, when the network is working optimally and there are no delays. As 
the value diminishes, the capacity drops and the effort of the network increase. 
Therefore, the link capacity is an addition to the effort scenario, which indicates the 
effect on the network properties and capability. 

The discussed IKE negotiations contain the establishment of the IKE SA and also 
the selection of the IPSec SA in phase 2. In the fixed communication profile, the 
establishment of a secure chaimel via IPSec requires 5 specific messages from the 
initiator and 1 message less from the responder. Anyway, the biggest effort of the IKE 
negotiation is the local computation of the group parameters for the SAs. 

If pre-shared keys and certificate mechanisms are not available, the parties must 
acquire the public keys of each other from the TTP. In the simplest case, the public 
key and other relevant information is distributed in one message. The number of 
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messages exchanged between a user U, and a TTP is denoted by where 

\<m ^jjp <n and «£ Because it is reasonable to assume that m , jpp = m jjp for 

most of the users, the notation m jjp is used in this chapter. In order to create two 
IPSec SAs, the total amount of messages is 

L [ = 2 m jjp + + 2 ij\ ^ 2 ffi ppp + 12, (^) 

where Z- j e Z^. 



4.1.1. The Estimation 

The burden that IKE causes to network resources can be derived from the number of 
the users and the capability of the links between the negotiating parties. If N users are 
connected to each other as a group, they must create 

N{N-\) (3) 

2 2 

IKE SAs in total. However, if the users are not communicating as a group and there 
are no parallel communications, the N users need to create only M2 IKE SAs. This 
research focuses on the assumption that the users form communication groups to the 
network and may have parallel communications. Therefore, the amount of the 
messages for A users within the phase 1 exchange is 



6 * 




6A(A-1) 

2 



2>N{N-\). 



(4) 



Also the potential message exchange with the TTP should be considered in this 
estimation. If both IPSec SAs are created, the total amount of messages for N users 
equals 



^2 



N 



(2 m jpp + 



,[Z7 ..] + 2 






N{N-\) 



(5) 



M ’ 



where L 2 ^ After this message flow, there exists a unidirectional IPSec SA 
between all users, which simply means that every user can send secured messages to 
other users. 

The link capacity C depends on the link properties and the network interference. 
The interfering factors can be the amount of the data transmitted over the link or 
various troubles with the network operability. The link capacity varies between the 
different network types and areas. As stated before, the link capacity is on a scale 
0<C< 100, which makes it possible to compare the effects. If the same link is used 
by many users, the capacity that can be allocated for each user on the link equals CU, 
where \ < I <N equals the number of the users on the link. The link capacity is a 
regular variable but the link traffic and the burden caused by it are discrete variables. 
Therefore, the concrete link capability is a discrete variable that depends on the time 
and the concurrent network traffic. The value of the link capability can be estimated 
as 
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D = C*t, (6) 

where 0<Z)<100 and a time- variant parameter 0< t <1. The time-variant 
parameter indicates the reduction of efficiency that can be caused by the users or by 
other network operability. The link capability for each user depends on the amount of 
the users N and the link capacity C. 

Now, the effort of the data transfer can be estimated more realistically for the IKE 
negotiations, because the effect of the capacity has been considered as well. The effort 
of creating IPSec connections for Abusers can be formulated as 

^ 3 - ^ (f ) (2 « TTP + E + 2 = D L 2 , 

where the capability works as a multiplier to cause the increase of effort. 

4.1.2. The Calculation 

Let us consider some situations, where 2 users create a secure channel with some 
typical security levels. The sizes of the exchanged messages are estimated here and 
the results are presented in the following tables. The connection uses IPv4 and the 
transport protocol is User Datagram protocol (UDP) [3]. 

For all the messages, the sizes of the IP and UDP headers are constant. The size of 
the UDP header is 64 bits, which includes the port numbers and two UDP specific 
variables. Correspondingly, the size of the IPv4 header is 160 bits, if no options are 
selected. 

The first use-case advantages the revised mode of public key exchange [4], which 
is presented in Table 2. The group type is 1024-bit MODP, which is considered 
secured. The field Packet size contains the IP and UDP headers that are inserted to the 
message. 



Table 2. Identity Protection Exchange with more security. 





Message size 


Packet size 


Explanation 


1 . message 


1856 bits 


2080 bits 


Only 1 transform payload. 


2. message 


2464 bits 


2688 bits 


Nonce length is 1 024 bits 


3. message 


352 bits 


576 bits 





As the second case, there is a phase 1 exchange authenticated with signatures, see 
Table 3. The signature algorithm is RSA with the length of 128 bits. This case has the 
fourth Oakley group in use, which is the elliptic curve group over the field 
GF(2'*5) The field Packet size contains the IP and UDP headers that are inserted to the 
message. 



Table 3. Identity Protection Exchange with signatures. 





Message size 


Packet size 


Explanation 


1 . message 


1472 bits 


1696 bits 


Only 1 transform payload. 


2. message 


1376 bits 


1600 bits 


Nonce length is 1024 bits 


3. message 


384 bits 


608 bits 


The RSA size is 128 bits. 
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The phase two Quick mode progressions for two first examples are gathered into 
Table 4. The minimal version does not support perfect forward security (PFS) [4] but 
the more secure version does. 



Table 4. Two versions of the Quick Mode. 





Message size 


Packet size 


Explanation 


7. message 


960 bits 


1184 bits 


Initiator sends 1 . message, 
minimal security. 


8. message 


960 bits 


1184 bits 


Responder sends 1. message 


9. message 


384 bits 


608 bits 


Initiator sends 2. message 


7. message 


2784 bits 


3008 bits 


Initiator sends 1 . message, 
more security. 


8. message 


2784 bits 


3008 bits 


Responder sends 1. message 


9. message 


384 bits 


608 bits 


Initiator sends 2. message 



The calculation points out that the amount of the exchanged messages increases 
rapidly as the number of the users grows. Because the negotiations have to happen 
quite frequently, the network is swamped by the negotiation efforts. The concrete 
phase 1 efforts tabulated above suffer the fact that there is only one transform payload 
suggested, which is not the typical case. Therefore, the message sizes in Tables 2 and 
3 must be considered as minimal and the probable sizes are much higher. 

Table 5 presents estimations on the transmission time using two typical 
transmission speeds. Transmission time 1 indicates a normal GSM connection with a 
speed of 9.6 kbit/s and transmission time 2 indicates a GPRS connection with a 
concrete speed of 40 kbit/s. The transfer sizes are from the Table 2 (Identity 
Protection Exchange with more security) and Table 4 (more secure version). 



Table 5. Transmission times for mobile communications. 



IKE messages 


Transfer 
size (bits) 


Transmission 
time 1 
(seconds) 


Transmission 
time 2 
(seconds) 


Explanation 


Phase 1 messages 
by tbe Initiator 


5344 


0,557 


0,134 


1024-bit MODP 
and Nonce 


Phase 1 messages 


10688 


1,113 


0,267 


Responder replies 
with similar 
messages. 


Phase 2 messages 
by the Initiator 


3616 


0,377 


0,09 


PFS supported, 

1024-bit 

parameters 


Phase 2 messages 


6624 


0,69 


0,166 


1 message from 
the Responder. 


All messages by 
the Initiator 


8960 


0,933 


0,224 


For one IPSec SA 


All messages 


17312 


1,803 


0,433 


One IPSec SA 
created. 


All messages with 
two Phase 2 
exchanges 


23936 


2,493 


0,598 


IPSec SAs to both 
directions with 
alike parameters 
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The calculated transmission times do not include any resent or echo packets and 
the transmission speeds are estimated quite optimal. Therefore, the times must be 
considered as minimal. The calculations show that the effect of IKE is significant in 
GSM connections. The impacts on GPRS connections depend a lot on the concrete 
speed but the caused delay is evident anyway. If the connection is always on, the 
negotiations should not have a severe affect on the transmissions. However, if the 
connection is not on-line, the negotiations probably cause delay for each application 
that initiates secure connections. 



4.2. Case 2: Variable Profiles for Users 

The users have individual requests for their Internet usage. The common and rational 
way to separate the profiles of the users is to compare the Internet applications in use. 
The two separate Internet applications studied here are the email and the web- 
navigation. Additionally, various devices can establish the Internet connection, which 
causes significant differences in the connection speeds and capabilities. 
Fundamentally, the case 2 focuses on a scenario, where a user wants a secure 
connection to an application server. The application server can be either an email or a 
web server. Figure 1 presents the relationship of the parties that need the secure 
communications. 




Fig. 1. The communicating parties. 

Another difference within the user profiles is the level of the security requirements. 
The security levels can vary from strictly confidential to public, which causes 
significant alteration in the security parameters. Other users require fully confidential 
connections while others suffice with partially or functionally trusted connections. 
The users possess personal security profiles that define the key lengths, algorithms 
and protocols in use. The profiles are not constant and they may vary a lot between 
different users. 

If a user and an application server do not know the public keys of each other, a 
TTP may be needed. The trust relationship between the user and the TTP can be 
either fully trusted or functionally trusted and the level of trust depends on the 
cryptographic algorithm in use. It is sufficient to use a functionally trusted TTP for 
the public key delivery. If the users need symmetric keys, an unconditionally trusted 
TTP is required [5]. 

If the user and the application server do already share each other’s public keys, the 
effort of the initiator is only 5 messages. There is no change in the effort of the 
responder, so now the amount of the messages is the same. If the parties need to ask 
the public keys from a TTP, it takes at least 2 messages for each query. The number 

of messages exchanged between a user U, and a TTP is denoted by m ■ j^p , where 
\<m.ppp<n and n^Z^. Correspondingly, the number of messages exchanged 
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between a TTP and an application server is denoted by tw ^ j,j.p , where \<m <n 
and Z^. 

Figure 2 presents a scenario, where a user asks for a secure access to an application 
server. In this scenario, the user and the server do not know each other’s public keys 
and they have to contact a TTP to acquire them. The scenario results in an IKE SA, 
which is stored and used in the creation of the IPSec SAs. Further, the IKE phase 2 
message exchanges happen more frequently, because the lifetime of the IPSec SA is 
typically short and it expires soon. In normal circumstances, there is no more need to 
contact a TTP. 



Initiator : User 




Resoonder : 




: TTP 






Application server 







1. message 



2. message 



3. message 



Give public keys( 









Store public key( ) 



IKE messages! 1 






K- 



IKE messages! ) ^ 



Give public keys! ) 
Store public key! 1 






IKE messages! ] 






K- 



IKE messages! ) 



IKE messages! ] 









IKE messages! ) 



Fig. 2. IKE phase 1 negotiation. 



4.2.1. The Estimation 

In this scenario the burden that IKE causes to network resources is more difficult to 
estimate. The various variables include the number of the users, the capability of the 
links between the negotiating entities, the user profiles and the type of the network 
usage. If N users, where N >2, wish to connect to an application server, they all have 
to create own bi-directional IKE SA with the server. Therefore, the amount of 
messages with N users within the phase 1 exchange is 

where user is the initiator and application server A is the responder. The link 
capacity C (from the previous case) and the number of the users are the key factors, 
when estimating the value of the link capability. The capability works again as a 
multiplier to cause the increase of effort. The effort of creating IKE SAs from N users 
to an application server can now be formulated as 
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-6DN. ( 9 ) 

The effect of the user profile is very complex to estimate. The security levels can 
vary from strictly confidential to public, which causes significant alteration in the 
security parameters. Because there are K (ife Z, \<K<N) different user profiles, 
there is also K different ways to affect the communication effort. The effect of the 
user profile is denoted by where ie K and P, is on the scale 0<P< 100. Also, the 
effect of an application server, denoted as , is on a scale 0<P^< 100. For N users, 
the effect of the user profiles can be estimated by the mean value 






I N 



( 10 ) 



where the user profiles Pj belong to the users and are from the K different profile 
types. If the user profiles and the application profile are considered in the 
computation, the effect of the profiles for phase 1 negotiation can now be formulated 
as 



DN(P = 3DN(P + PJ. ( 11 ) 

Now, one can estimate the effort of the data transfer for the complete IKE 
negotiations, because the increased effects have been considered as well. The effort of 
creating an IPSec SA from the user to the application server can be formulated as 

D (P, (m +E,..„,[f/,]+E,*„„.[C/,])+P„ {m ^ +E,,„„,[f/J+E^*„„.[C/J)) = D (12) 

(Pj (m i jjp “*■ 5) + P^ {m ^ j-fp + 4 )), 

where P^ is the effect of the application server, P,. is the effect of the user profile and i 
e K. Notation m . j^p indicates the messages between a TTP and U. and notation 

m ^ ppp indicates messages between a TTP and an application server. As one can 

imagine, the estimation of the effort for creating IPSec SAs for N users would result 
in a very long and complicated formula. 

In this case, different types of the network usage indicate either a user connecting 
an email server or a user connecting a web server. There are many other possibilities, 
where to connect, and they can be compared likewise. There is a big difference 
between the two usage types as specified in chapter 2.2. Therefore, the network usage 
type can be thought as an individual factor that has influence to the effort. 



5. Conclusions 

The IKE has a very important role to play in the creation of the secure virtual private 
networks. Scalable and secure key determination and distribution mechanisms would 
be needed but they are not always the present reality. The scalability of the IKE 
protocol has been discussed in this paper with mathematical estimations and concrete 
effort calculations. Generally, a possible growth in the effort can cause problems to 
scalability under any circumstances. 
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There can be several factors in the networks that affect the communication loads. 
The interfering factors introduced here are the number of the users, the capability of 
the networks, the user profiles, the key delivery mechanisms and the type of the 
network usage. Two use cases were introduced here; users communicating with each 
other’s and a user connecting an application server. The estimations showed that the 
factors caused interference to the negotiations but the definite amount of the 
interference depends on the local circumstances. Generally, it was proved that the 
number of the exchanges increases as the number of the users grows. Also, the 
number of the messages follows the number of the users linearly. 

The role of a trusted third party is essential since the communicating parties 
usually do not know each other’s public keys beforehand. There are different 
relationships to the trusted third party and one way to classify them is by the trust 
relationship. Trust is a difficult phenomenon to classify and it has raised interest 
within the professionals. The trust relationship between the users and the application 
servers is another thing that is not self-evident and it should be explored more. 

The scalability of IKE could grow if the use of certificates would get more 
common. Certificates can be used to bind a specific identity of an entity to the public 
keys of it and possibly other security-related information. The advantage is that 
external methods are not needed for key delivery. However, the current 
implementations are often based on pre-shared key mechanisms, which is not a 
scalable solution for large user groups. 
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Abstract. We present an efficient method for analyzing information flow of a 
recursive program. In our method, security levels of data can be formalized as an 
arbitrary finite lattice. We prove the correctness of the proposed algorithm and also 
show that the algorithm can be executed in cubic time in the size of a program. 
Furthermore, the algorithm is extended so that operations which hide information 
of their arguments can be appropriately modeled by using a congruence relation. 
Experimental results by using a protypic system are also presented. 



1 Introduction 

In a system used by unspecified people, protecting information from undesirable leaking 
is essential. One of the ways to protect information from undesirable leaking is an access 
control technique called Mandatory Access Control (MAC). MAC requires that data and 
users (or processes) be assigned certain security levels represented by a label such as 
top-secret, confidential and unclassified. A label for a data d is called the security class 
(SC) of d, denoted as SC{d).A label for a user u is called the clearance of u, denoted as 
clear{u). In MAC, user u can read data d if and only if clear{u) > SC{d). However, 
it is possible that a program with clearance higher than SC{d) reads data d, creates 
some data d' from d and writes d' to a storage which a user with clearance lower than 
SC{d) can read. Hence, an undesirable leaking may occur since data d' may contain 
some information on data d. 

One way to prevent these kinds of information leaks is to conduct a program analysis 
which statically infers the SC of each output of the program when the SC of each input 
is given. Several program analyses based on a lattice model of SC have been proposed 
(see related works below); however, some of the program analyses can analyze only 
relatively simple programs which do not specifically contain a recursive procedure. Also, 
in some cases, the soundness of the analyses have not been proved. 

This paper proposes an algorithm which analyzes information flow of a program 
containing recursive procedures. The algorithm constructs equations from statements in 
the program. The equation constructed from a statement represents the information flow 
caused by the execution of the statement. The algorithm computes the least fix-point of 
these equations. We describe the algorithm as an abstract interpretation and prove the 
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soundness of the algorithm. For a given program Prog, the algorithm can he executed in 
0{klN) time where k is the maximum number of arguments of procedures in Prog, I is 
the number of procedures in Prog and N is the total size of Prog. Based on the proposed 
method, a prototypic system has been implemented. Experimental results by using the 
system are also presented. 

In the algorithm proposed in this paper and most of all other existing methods, the SC 
of the result of a built-in operation 9 (e.g., addition) is assumed to be the least upper bound 
of the SCs of all input arguments of 6. This means that information on each argument 
may flow into the result of the operation. However, this assumption is not appropriate 
for some operations such as an aggregate operation and an encryption operation. For 
these operations, it is practically difficult to recover information on input arguments from 
the result of the operation. Considering the above discussions, the proposed method is 
extended so that these operations can be appropriately modeled by using a congruence 
relation. 

The rest of the paper is organized as follows. Section 2 defines the syntax and 
the operational semantics of a program language which will be the target language of 
the analysis. In section 3, we formally describe the program analysis algorithm, prove 
the correctness of the algorithm and show the time complexity of the algorithm. A brief 
example is also presented in section 3. The method is extended in section 4. Experimental 
results are briefly presented in section 5. 

Related Works. [D76] and [DD77] are the pioneering works which proposed a system- 
atic method of analyzing information flow based on a lattice model of security classes. 
Subsequently, Denning’s analysis method has been formalized and extended in a various 
way by Hoare-style axiomatization [BBM94], by abstract interpretation [095], and by 
type theory [VS97,HR98,LR98]. 

In a type theoretic approach, a type system is defined so that if a given program is 
well-typed then the program has noninterference property such that it does not cause 
undesirable information flow. [VS97] provides a type system for statically analyzing in- 
formation flow of a simple procedural program and proves its correctness. The method in 
[VS97] assumes a program without a recursive procedure while our method can analyze 
a program which may contain recursive procedures. [HR98] defines a type system for 
a functional language called Slam calculus to analyze noninterference property. [SV98] 
showed that their type system in [VS97] is no longer correct in a distributed environ- 
ment and presented a new type system for a multi-threaded language. How to extend 
our method to fit a distributed environment is a future study. 

A structure of security classes modeled as a finite lattice is usually a simple one 
such as {top-secret, confidential, unclassified}. [ML98] proposes a finer grained model 
of security classes called decentralized labels. Based on this model, [M99] proposes a 
programming language called JFLOW, for which a static type system for information 
flow analysis as well as a simple but flexible mechanism for dynamically controlling the 
privileges is provided. However, their type system has not been formally verified. 

Recently, control flow analysis of a program which performs dynamic access control 
such as stack inspection in Java Development kit 1.2 is studied. For example, [JMT99, 
NTSOl] propose methods of deciding for a given program P and a global security 
property ip whether every reachable state of P satisfies ip. 
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2 Definitions 

2.1 Syntax of Program 

In this section, we define the syntax and semantics of a programming language which will 
be the input language to the proposed algorithm. This language is a simple procedural 
language similar to C. 

A program is a hnite set of function definitions. A function definition has the following 
form: 

f{xi, local {Pf} 

where / is a function name (xi, . . . ,Xn are formal arguments of f,yi, ... ,ym are local 
variables and Pf is a function body. The syntax of Pf is given below where c is a constant 
x is a local variable or a formal argument, / is a function name defined in the program 
and 0 is a built-in operator such as addition and multiplication. Any object generated by 
cseq can be Pf. 

cseq ::= cmd \ cmdi; cseq 

cmd ::= if exp then cseq else cseqfi \ return exp 
cseqi ::= cmdi \ cmdi, cseq.^ 

cmdi ::= x := exp \ if exp then cseq^ else cseq^ fi | while exp do cseq^ od 
exp ::= c | a; | f{exp, . . . , exp) \ 6{exp, . . . , exp) 

Objects derived from exp, cmd or cmdi, cseq or cseqi are called an expression, a 
command, a sequence of commands, respectively. An execution of a program Prog is 
the evaluation of the function named main, which should be defined in Prog. Inputs for 
Prog are actual arguments of main and the output of Prog for these inputs is the return 
value of main. 



2.2 Semantics of Program 

We assume the following types to define the operational semantics of a program. Let x 
denote the cartesian product and + denote the disjoint union. 

type val (values) We assume for each n-ary built-in operator 9, n-ary operation 6x : 
val X • • • X val val is defined. Every value manipulated or created in a program 
has the same type val. 
type store There exist two functions 
lookup : store x var — >■ val 
update : store x var x val — >■ store 
which satisfies: 

lookup{update{a , x,v),y) = if x = y then v else lookup{a, y) . 

For readability, we use the following abbreviations: 

cr(x) = lookup(a, x), a[x := r>] = update{a , x , v) . 

Let Pstore denote the store such that Pstore{x) is undehned for every x. 




An Efficient Information Flow Analysis of Recursive Programs 



295 



We define a mapping which provides the semantics of a program. This mapping takes a 
store and one of an expression, a command and a sequence of commands as arguments 
and returns a store or a value. 

|=: {store — >■ exp — >■ val) + {store — >■ cmd — >■ {store + val)) 

+ {store — cseq — >■ {store + val)) 

- a \= M ^ V means that a store cr evaluates an expression M to the value v, that is, 
if M is evaluated by using cr then v is obtained. 

- a \= C ^ a' means that a store a becomes cr' if a command C is executed. 

- a \= C ^ V means that if a command C is executed when the store is cr then the 
value V is returned. This mapping is defined only when C has the form of ‘return 
M’ for some expression M. 

- Similar for a sequence of commands. 

Below we provide axioms and inference rules which define the semantic mapping, where 
the following meta- variables are used. 

x,xi, . . . ,yi, . . . : var M, Mi , . . . : exp C : cmd or cmdi 
P, Pi,P2 ■ cseq or cseqi a, a', a" : store 



(CONST) cr 1= c : 
(VAR) a ^x~- 

(PRIM) 

(CALL) 



> Cl 

a{x) 



a 1= Mi ^ Vi (1 < i < n) 
a 1= 6{Mi, . . . , M„) => 6x{vi, . . . , v„) 
a 1= Mi ^ Vi (1 < * < n) a' 1= Pf = 
a 1= /(Ml, . . . , M„) V 
f f {xi, ... ,x„)localyi, ... ,ym 
l^cr' = J_store[a;i := Wi] • • • [Xn ■= v„] J 
cr 1= M => W 



(ASSIGN) 

(IFI) 

(IF2) 

(WHILE 1) 
(WHILE2) 
(RETURN) 
(CONCAT) 



cr 1= a; := M ^ a[x := w] 
a \= M ^ true cr |= Pi ^ cr' {rsp. v) 
cr 1= if M then Pi else P 2 fi ^ <t' {rsp. v) 
a j= M ^ false <t |= P 2 ^ cr' {rsp. v) 
cr 1= if M then Pi else P 2 fi ^ cr' (rsp. v) 
cr 1= M ^ true cr 1= P ^ <t' cr' 1= while M do P od ; 



cr 1= M 



a 1= while M do P od- 
> false 



cr 1= while M do P od ^ a 
a \= M ^ V 
a 1= return M ^ v 
a \= C ^ a' a' \= P ^ a” {rsp. v) 
a \= C\ P ^ a" {rsp. v) 



3 The Analysis Algorithm 

A security class (abbreviated as SC) represents the security level of a value in a program. 
Let SCset be a finite set of security classes. Also assume that a partial order C is defined 
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on SCset and (SCset, C) forms a lattice; let _L denote the minimum element of SCset 
and let a\ U 02 denote the least upper bound of a± and 02 for ai , 02 G SCset. Intuitively, 
Ti C T 2 means that T 2 is more secure than ri ; it is legal that a user with clearance T 2 can 
access a value with SC ri. A simple example of SCset is: 

SCset = {low, high}, low C high. 

The purpose of the analysis is to infer (an upper bound of) the SC of the output value 
when an SC of each input is given. Precisely, the analysis problem for a given program 
Prog is to infer an SC of the output value of Prog which satisfies the soundness property 
defined in section 3.3. 

We first describe the analysis algorithm in section 3.1. The soundness of the proposed 
algorithm is proved in section 3.3. 



3.1 The Algorithm 

To describe the algorithm, we use the following types. 

type sc (security class) . 
type store (SC of store) 

update : store x var x sc ^ store 
lookup : store x var — >■ sc 

For store type, we use the same abbreviations as for store type. If a is an element of 
type store , then a{x) is the SC of variable x inferred by the algorithm. By extending 
the partial order C defined on sc to type store as shown below, we can provide a 
lattice structure to store : 

For a and of type store , a} <^\fx € var. a{x) C a'{x). 

The minimum element of store is a satisfying \/x G var. (J_{x) = _L. We write this 
minimum element as ± store- 

type fun (SC of function) Similarly to type store , the following functions are defined. 

lookup : fun x fname — >■ (sc x • • • x sc — >■ sc) 
update : fun x fname x {sc x ■■■ x sc ^ sc) ^ fun 

We use the following abbreviations for F G fun.f G fname and ip : sex - ■ - xsc ^ 
sc. 



F[f] = lookup{F, /) 

F[f ■= V'] = update{F, f, ip) 

For n-ary function / and SCs ti , . . . , r„, F[/] (ti , . . . , r„) is the SC of the returned 
value of / inferred by the algorithm when the SC of i-th argument is specified as 
Xi{l < i < n). Similarly to type store , we can provide a lattice structure to type 
fun. The minimum element of fun is denoted as _L/„„. 
type cy-fun (co variant /wn) This type consists of every F of type fun which satisfies 
the next condition: 

If T* C r' for 1 < i < n then F[/](ti, . . . , t„) C F[/](t{, . . . , rf). 
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We use the following meta- variables as well as the meta- variables introduced in section 

2 . 2 . 

CT , ct' , ct" : store F, F\,F 2 : fun 

Below we define a function ^|-] which analyzes the information flow. Before defining 
the analysis function, we explain implicit flow [D76]. Consider the following command, 
if a; = 0 then y := 0 else y := 1 fi 

In this command, the variable x occurs neither in y := 0 nor in y := 1. However, after 
executing this command, we can know whether a; is 0 or not by checking whether y is 0 
or 1 . Therefore, we can consider information on the value stored in the variable x flows 
into the variable y. In general, information may flow from the conditional clause of a 
“if” command into “then” and “else” clauses and also it may flow from the conditional 
clause of a “while” command into “do” clause. Such information flow is called implicit 
flow. The function ^|-] infers that the SC of implicit flow caused by a command C or a 
sequence P of commands is the least upper bound of the SCs of the conditional clauses 
of all the “if” and “while” commands which contain C or P in their scopes. ^|-] takes 
the SC of implicit flow as its fourth argument. 

A : {exp X fun x store — >■ sc) + {cmd x fun x store x sc ^ store ) 

+ {cseq X fun x store x sc ^ store ) 

- AlMj{F,a) = T means that, for SCs F of functions and an SC o; of a store, the 
SC of an expression M is analyzed as r. 

- A\C\ {F, a, v) = qf means that, for SCs F of functions, an SC ct of a store and an 
SC V of implicit flow, the SC of the store after executing a command C is analyzed 
as ct'. 

- Similar for a sequence of commands. 

The definition of A is as follows: 

( CONST ) Alcj{F,q) = _L 
( VAR ) -4|a;] (P, ct) = q{x) 

(PRIM) Ale{Mi, . . . ,M„)](P,a) = Ui<i<„-4[Mi](P,<7) 

( CALL ) AlfiMi,. . . ,M„)](P,a) = P[/]M[Mi](P, a ), . . . , AlM„j{F, a)) 

( ASSIGN ) A\x := M'\{F,a,v) = q\x := A\M'\{F,q) U v] 

(IF) Apf M then Pi else Pj fi] (P, q, v) = xIIPi] (P, q,vUr)U xI[P 2 ] (P, q,vUr) 
where r = xI[M] (P, a) 

( WHILE) xl[while M do P od] (P, a, u) = xI[PI (P, q,vU A\M} (P, a)) U ct 
( RETURN ) Let ret be a fresh variable which contains a return value of a function. 

.4[return M|(P, a, u) — gfret .4|M|(P, a) U n] 

( CONCAT) AlC-,Pj{F,q,u)=AlPj{F,AlCj{F,q,u),iy) 



Define the function xl|-] : program — >■ fun — >■ fun, which performs ‘one-step’ 
analysis of information flow for each function / defined in a given program as follows: 

For Proy = {/(xi, . . . , a;„) local yi, ..., y„ {Pf},-- ■}> 

AlProgj{F) = 

F[f := Ati . . . Tn.(Al[Pfl(P, ± store [xi := Ti] • • • [x„ := r„],_L)(ref)) 

I / is an n-ary function defined in Prog] 



( 1 ) 
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For a lattice {S, and a function / : S' — >■ S', we write the least fix-point of / as fix{f). 
For a program Prog, the function ^*|Prog] which analyzes information flow of Prog 
is defined as the least fix-point of ^[Pro^], that is, 

■^*lProgj = fix{XF.AlProgj{F)). 

As will be shown in lemma 1, ^|Prog] is a monotonic function on the finite lattice 
cv-fun. Therefore, 



A*lProgj = y AlProgYi-Lfun) (2) 

i>0 

holds [M96] where f^{x) = x, /*+^(a;) = /(/*(a;)). Hence, ^*|Prog] can be calcu- 
lated by starting with _L/„„ and repeatedly applying to the SCs of functions 

until the SCs of the functions remains unchanged. 



3.2 An Example 



In this subsection, we show how our analysis algorithm works. The program which we 
are going to analyze is written below. In this example, we assume SCset = {low, high}, 
low C high. 



main{x) { 

while X > 0 do 

y -.= X + 1', X := y — 4 
od; 

return f{x) 



fix) { 

if X > 0 

then return x * /(x — 1) 
else return 0 
fi 

} 



In order to analyze this program, we continue updating F using the following relation 
until F does not change any more. 



F = F[main := \T.{A{PmainliF, -L fitore [x ■■= r],_L)(ref))] 

[/ := XT.{AlPf\{F,± store \x := r],_L)(re<))] 

The table below shows how F changes. The SCs of the i-th column are calculated by 
using the SCs of the {i — l)th column. 



0 12 3 



F[main] 


Ar._L 


Ar._L 


Ar.r 


Ar.r 


m 


Ar._L 


Ar.r 


Ar.r 


Ar.r 



From this table, we can know that A* |Pxog] [main] (r) = r, that is, the SC of the return 
value of the main function is low when the SC of the actual argument is low and the 
SC of the return value of the main function could be high when the SC of the actual 
argument is high. 
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3.3 Soundness of the Algorithm 

As mentioned in section 3.1, the analysis algorithm is a function of the following type: 

“4* I’] : program — >■ /name — >■ (sc y. ■■■ x sc ^ sc) . 

A*\Prog'\\f]{Ti, . . . , r„) = t means that for an n-ary function / defined in Prog and 
for SCs Ti , . . . , r„ of arguments of /, A* |-] infers that the SC of / is t. 



Definition 1. An analysis algorithm A* |-] is sound if the following condition is 
satisfied. 

Assume Prog is a program and main is the main function of Prog. If 
A* {Prog} [main] (n , . . . , r„) = r, 

Astore h rnain{vi, . .. ,Vn) ^ v, Astore h main{v[, . . . ,v'„) ^ v', 

Vi (1 < i < n) : Ti Q T. Vi = v' 



then V = v' holds. □ 

By the above definition, an analysis algorithm is sound if and only if the following 
condition is satisfied: assume that the analysis algorithm answers “the SC of the returned 
value of the main function is r if the SC of the z-th argument is r^.” If every actual 
argument with SC equal to or less than r remain the same then returned values of the 
main function also remains the same even if an actual argument with SC higher than 
or incomparable with t changes. Intuitively, this means that if the analysis algorithm 
answers “the SC of the main function is r,” then information contained in each actual 
argument with SC higher than or incomparable with r does not flow into the return value 
of the main function. 

The following lemma guarantees the validity of the equation (2). 



Lemma 1. (a) If F is of type cv-fun then A\ProgJ{F) is also of type cv-fun. 

(b) (monotonicity) Assume and F 2 are of type cv-fun. If Fi C F 2 then 

AfProgjiFi) n AlProgj{F2). □ 

The next two lemmas are used to show that the algorithm presented in section 3.1 is 
sound in the sense of definition 1 . 

Lemma 2. (property of implicit flow) 

(a) If A\P\{F,gi, v) = , a \= P a' and v a'{y) then a{y) = o'iyy). 

(b) If .4|P](F, CT, n) = a', a ]= while M do P od ^ a' and n % a'{y) then a{y) = 

a'{y). □ 



Lemma 3. (noninterference property) Let F = A* [Pro^]. 
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(a) If^|M](F, ct) = t, CTi \= M ^ vi, a2 \= M ^ V2 andVcc : a{x) C r. <j\{x) = 
U2{x), then v\ = V2- 

(b) If AlP]{F,a, v) = a',ai \= P ^ (J2\= P ^ <J2, A{y) = r and Vx : q_{x) C 

T. CTi(x) = (J2(x), then a[{y) = 

(c) If AlPj{F,a,iy) = A, a\ \= P ^ v\, U2 \= P ^ V2 and Vx : q_{x) C 
A (ret). (Ji(x) = (72(2;), then wi = V2- 

(Proof Sketch) By using Lemmas I and 2, the lemma is proved by induction on the 
application number of inference rules for -4|-] . □ 

Theorem 1. The algorithm ^*|-] is sound. 

(Proof) By lemma 3(c). □ 

3.4 Time Complexity 

In this subsection, the time complexity of the algorithm A* |-] presented in section 3.1 
is examined. Let Prog be an input program and let k, I and N be the maximum number 
of arguments of each function in Prog, the number of functions in Prog and the total 
size of Prog, respectively. Since the only operations which appear in the algorithm are 
_L and U, for each n-ary function / in Prog, .4|Prog] (F) [/] can be written as 



AlProgj{F)[f]{Ti, . . . ,Tn) = U ■ ■ ■ U 



where Tj (1 < i < n) is an arbitrary SC and {ii, . . . , im} C n}. The worst case 

is that for each execution of ^|Prog] (F), only one tj is added to 
AlProgj (F) [fi] (n , . . . , r„) for only one function /i and AlProgj (F) [/] (n , . . . , r„) 
remains unchanged for every function / other than fi . For example, 
-4|Fro(/](F)[/i](ri,T2,T3) = n becomes ,A|Fro5](.4|Fro5](F))[/i](ri, T2, T3) = 
Ti U T 3 while ^|Fro(/](.4|Fro5](F))[/](ri, . . . ,r„) = AlProgj{F)[f]{Ti , . . . ,r„) 
for every function / other than /i . Thus, the maximum number of iterations of .4|Fro5] 
is kl. On the other hand, it is not difficult to see that one iteration of ^[Fro^] takes 
0 {N) time. Hence, we obtain the following theorem: 

Theorem 2. Let Prog be a program. The algorithm A* [Fro^] can be executed in 
0 {klN) time where k is the maximum number of arguments of each function in Prog, 
I is the number of functions in Prog and N is the total size of Prog, respectively. □ 



4 An Extended Model 

The algorithm A in the previous section has been defined for any built-in operator 0 as: 
( PRIM ) A[0(Mi, . . . ,M„)](F,a) = Ui<i<„-4lM,](F,a). 

This means that we assume information contained in each argument may flow into the 
result of the operation 9 x. However, this assumption is too conservative for a certain 
operation. For example, if an operation 6*x is defined as 9 x{x, y) = x, then it is clear 
that information in the second argument does not flow into the result of the operation. 
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Another example is an encryption. Assume that for a plain text d and an encryption key 
k, the result of the operation Ex{d, k) is the cipher text of d with key k. We may consider 
that the SC of E{x, y) is low even if the SCs of x and y are both high. 

To express the above mentioned properties of particular built-in operations, we gen- 
eralize the above definition as: 

(PRIM) A10{M,, Mn)j{F,a) = Bl0j{AlM4{F, a ) , . . . a)), 

where B\0J is an arbitrary monotonic total function on sc: 

B\0\ : sc X ■ ■ ■ X sc sc. 

In particular, B\0'\{t\ , . . . , r„) = Ui<i<n A original definition of A. 

However, the generalized algorithm is no longer sound in the sense of definition 1 . 
Suppose that we define B\EJ{ti,T 2 ) = low, and consider a program 

Prog = {main{x, y) { return E{x, y) } }. 

A*\ProgWmain]{high, high) = Zow holds while for distinct plain texts c?i, ((2 andakey 
k, Ex{d\,k) ^ Ex{d 2 ,k).}de,\\CQ A*\-\ is not sound. Intuitively, the fact that the SC of 
expression y) is inferred as low means that we cannot recover information contained 

in the arguments x, y from the result of the encryption. In other words, Ex{d\, k) and 
Ex{d 2 , k) are indistinguishable with respect to the information in the arguments. To 
express this indistinguishability, we introduce the following notions. 

A relation R on type val is called a congruence relation if R is an equivalence relation 
which satisfies: 

for each n-ary built-in operator 0, if Ci R c) for 1 < i < n 
then 0x{ci , . . . , c„) i? 0x{c[, ..., c'„). 

In the following, we assume that a particular congruence relation ~ is given. For v, v' of 
type \al, ifv^v' then we say that v and v' are indistinguishable. By the definition, if Vi 
and w' for 1 < i < n are indistinguishable then for any built-in operator 0,0x{c\, . . . , Cn) 
and 0x{c'i, . . . , c'„) are also indistinguishable. This implies that once v and v' become 
indistinguishable, we cannot obtain any information to distinguish v and v' through any 
operations. 

Next, we require ,B|-] to satisfy the following condition. 

Condition 4 Assume ,B|0 ](ti, . . . , t„) = t for an n-ary built-in operator 0. Let Cj, c' 
be of type val (1 < i < n). If cj ~ c' for each j (1 < j < n) such that Xj C t, then 
0x{ci, . . . ,Cn) ^ 0x{c[, . . . ,c'„). □ 

The above condition states that: 

Let B10]{ti, . . . ,Tn) = T. Assume that arguments of 0 are changed from ci , . . . , c„ 
to c' 2 , . . . , c^. As long as cj and c' are indistinguishable for each argument position 
j such that Tj C r, 0x{ci, . . ■ , Cn) and 0x(c{, . . . , c'„) remain indistinguishable. 



Example 1 (nonstrict function). Assume that 0x{x, y) = x and ,B|6*](ri, T 2 ) = ti. For 
any values ci, c'^, C 2 and c' 2 , ci ~ c[ implies 0i(ci, C 2 ) = ci ~ c'l = 0x(ci, . Hence, 
condition 4 is met for any congruence relation □ 
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Example 2 (declassification). Let mk-rpt be an operator which takes a patient record 
and produces a doctor’s report. Assume that no information in the argument of mk-rpt 
flows into the result of the operator. In this case, we can define B\mk-rpt\(high) = low 
with lowQhigh. Condition 4 requires that for any patient records c, c', mk-rptx{c) ~ 
mk-rptx{c'). Intuitively, this means that we cannot discover information on a particular 
patient’s record by reading a doctor’s report. □ 



Example 3 (encryption). Let E be an encryption function which takes a plain text and 
an encryption key as arguments. Assume that no information in the plain text can be 
discovered by manipulating the encrypted text. In this case, we can define 
B\E\(hiqh, high) = low. Condition 4 requires that for any plain texts d, d' and keys 
k,k',Ex{d,k) ^ Ex{d',k'). □ 

Now we can define the soundness by using the notion of indistinguishability as follows: 



Definition 2 (generalized soundness). Let ~ be a congruence relation. We say that an 
algorithm A* |-] is sound (with respect to ~) if the following condition holds: 

If A* iL’ro^] [main] (n , . . . , t „) = t , 

Astore h rnain(vi , . . . , u„) ^ w, Astore h main(v[, ...,v'„)^ v', and 
\/i (1 < i < n) : Ti Q T. Vi ^ v[ 

then V ^ v' holds. □ 



It is not difficult to prove the following theorem in a similar way to the proof of theorem 

1 . 

Theorem 3. If condition 4 is satisfied, then the generalized algorithm A* |-] is sound in 
the sense of definition 2. □ 



5 Conclusion 



In this paper, we have proposed an algorithm which can statically analyze the information 
flow of a procedural program containing recursive definitions. It has been shown that 
the algorithm is sound and that the algorithm can be executed in polynomial time in 
the size of an input program. In [YOl], the proposed algorithm is extended to be able to 
analyze a program which may contain global variables and a prototypic analysis system 
has been implemented. Table 1 shows the execution time to analyze sample programs 
by the implemented system. Extending the proposed method so that we can analyze a 
program which has pointers and/or object-oriented features is a future study. 



Acknowledgments. The authors sincerely thank Fumiaki Ohata and Reishi Yokomori 
of Osaka University for their valuable comments and discussions. 
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Table 1. Analysis time 



Program 


Number of lines 


Average analysis time (sec) 


Ticket reservation system 


419 


0.050 


Sorting algorithm 


825 


0.130 


A program library 


2471 


2.270 
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Abstract. Network Denial-of-Service (N-DoS) attacks are one of the 
fastest growing types of attack on the Internet. This paper addresses 
the vulnerabilities in Internet protocols, as well as dehciencies in flow- 
control in the Internet, both of which contribute to the loss of resource 
availability when networks suffer N-DoS attacks. Furthermore, an AFFC 
(Anti-flooding Flow-Control) model is presented to defend against flood- 
ing N-DoS attacks. AFFC policies regulate unresponsive elastic traffic 
and aggressive best-effort traffic for specific flow classes. Experiments 
have demonstrated that the deployment of this model can thwart harm- 
ful flows and prevent congestion collapse by flooding N-DoS attacks. 



1 Introduction 

1.1 Network Denial-of-Service Attacks on the Internet 

Network Denial-of-Service (N-DoS) attacks corrupt network resource availabil- 
ity to legitimate users. There are growing number of N-DoS attacks in various 
forms and symptoms on the Internet. The newly emerged N-DoS attacks are 
Distributed-DoS (DDoS) attacks. Essentially, DDoS attacks bundle classical N- 
DoS attacks and launch them simultaneously from intermediate machines. 
Table 1 contains cases of typical classical N-DoS attacks. Flooding N-DoS at- 
tacks deprive legitimate users of network resources such as network bandwidth. 
Both flooding and non-flooding N-DoS attacks have exploited the vulnerabilities 
and flaws in Internet protocols’ design and implementations. 

1.2 Existing Defense Strategies 

Most existing defense strategies against N-DoS attacks are based on explicit sig- 
nature capturing and analysis. For those attacks of which signatures can change 
in their variants, this type of approach has limitations. For instance, signatures 
often used in detecting DDoS daemons, such as process commands and communi- 
cation port numbers, can lose their validity when they are modified in separate 
attacks. Some researchers have also proposed address-based Altering to shield 
against malicious sources. This approach, if not infeasible, is difficult and costly 
to apply on the open Internet where incoming sources are very dynamic. 

In order to defend against N-DoS attacks proactively on the Internet effectively, 
the core vulnerabilities in the TCP/IP protocol suite and Internet infrastructure 
must be investigated. 



S. Qing, T. Okamoto, and J. Zhou (Eds.): ICICS 2001, LNCS 2229, pp. 304—315, 2001. 
(c) Springer- Verlag Berlin Heidelberg 2001 
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Table 1. Classical Network Denial-of-Service Attack Examples 





Non-Flooding N-DoS 


Flooding N-DoS 


TCP-related 


Land / Lanierra [HH98] 


SYN-Flood [Cert96a] 


TearDrop2 


Mstream [DdOO] / ack-flood 


UDP-related 




UDP-echo-flooding 


Fraggle-attack 


IP-related 


Tear / TearDrop / NewTear 




Bonk / Boink [Windows99] 


Ping-of-Death [Cert96b] 


ICMP-related 


ICMP-unreachable 


SMURF 


Ping-flood 


ARP-related 


ARP-redirect / poisoning 





2 Internet Protocols 

This section addresses vulnerabilities and flaws in Internet protocols - the 
TCP/IP suite. Next section analyzes the insufficiencies in network-node flow- 
control schemes on the Internet. 



2.1 Vulnerabilities in Internet Protocols 

Application Layer. Security flaws in the Application Layer are often caused 
by lack of bounds checking. One typical example is buffer-overflow. Flaws need 
to be patched in a case- by-case basis. Designing and implementing applications 
with security considerations is crucial. 



Transport Layer. There are three features for TCP that make it appealing to 
N-DoS attackers. First, a limited listening queue within a relatively long time- 
out period (typically 75 seconds) can help cerate a typical SYN-flood scenario. 
Second, TCP headers can be manipulated if authentication or integrity is not 
guarantted, such as the case in the LAND attack. Third, legitimate TCP traffic, 
which follows congestion control and avoidance algorithms, can unfortunately 
suffer severe network resources starvation when competing with best-effort traf- 
fic under pipe-structured Internet scheduling schemes. 

UDP traffic provides best-effort services without congestion control schemes im- 
plemented in the protocol. This feature has been taken advantaged by attackers 
to launch flooding N-DoS attacks to deprive legitimate traffic, especially elastic 
TCP-friendly traffic. 



Network Layer. ICMP, as a help layer for the Network Layer, has the similar 
non-reponsive features as those in UDP. N-DoS attacks often use ICMP packets 
to launch flooding attacks. In addition, by manipulating ICMP headers, N-DoS 
attackers can mute their targets, such as the scenario in the ICMP-unreachable 
attack. 
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IP is susceptible to IP-spoofing due to the lack of authentication if without 
schemes such as IPsec. In addition, IP packets are subject to be fragmented when 
required. Lack of bounds checking in fragmentation reassembly procedures are 
vulnerable to various fragmentation attacks such as Ping-of-Death, Tear Attacks, 
and Bond Attacks. 

IPsec provides the authentication and integrity check for IPv4 or IPv6 packets 
as an option. However, IPsec is not required to use while required to implement. 
IPsec may not be deployed in all Internet network nodes and hosts other than 
VPNs. Furthermore, IPsec only protects certain fields of IP-header, which cannot 
elimination the impacts of all N-DoS attacks. For example, fragmentation attacks 
can survive the IPsec shield because the fragmentation field is transparent to 
IPsec. 



Link Layer. ARP (Address Resolution Protocol) is used with certain types 
of network interface (such as Ethernet and token ring) to convert between IP 
addresses and network interface addresses. A dynamic ARP cache tables often 
don’t prevent crackers from sending packets with forged ARP addresses and trig- 
ger ARP cache poisoning attacks, which can be used to mute a victim machine. 

2.2 Hardening TCP/IP Suite 

There are two aspects in hardening TCP/IP protocol suite. First, design pro- 
tocols with security considerations, which needs to be fulfilled in many RFC 
standards. IPsec is an option to provide authentication and integrity check to 
some extent. One alternative option is to use authentication add-ons. For exam- 
ple, SYN-cookies [ML97] can be used to thwart some TCP-based attacks such 
as SYN-flood, LAND attacks, and ACK-flood/ mstream-attacks. Second, pro- 
tocols must be implemented carefully to avoid integrity and security flaws. One 
example is to reassemble fragments properly with sufficient bounds checking to 
avoid destructive impacts by fragmentation attacks. 

3 Flow-Control in the Internet 

Flooding N-DoS attacks work because of the overall weak network flow-control 
on the Internet. 



3.1 Deficient Flow-Control in the Internet 

In today’s Internet, most network nodes use FIFO (First In First Out) scheduling 
and Drop-Tail or RED (Random-Early-Detection [FJ93]) buffer management 
schemes. 

Fig. 1 and Fig. 2 demonstrate a scenario that malicious non-responsive flows in a 
FIFO/RED flow control scheme grab bandwidth from legitimate elastic flows. A 
NS2 tool [FVOO] was used to perform the experiment. A DDoS flooding attack 
topology is simulated by Fig.l with seven network nodes and six source nodes. 
Incoming flow features are described in Table 2. Traffic with mixed legitimate 
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Fig. 1. Simulation Topology 



DDoS: FIFO-only 




— UDP-RealP layer 

— UDP-DNS 
ICMP-other 
ICMP2victim 

— Unresponsive-Web 
— wb 

— TCP-DNS 
— TCP-SMTP 
TCP-NNTP 
FTP 
Telnet 



Fig. 2. Flooding N-DoS traffic over FIFO/RED flow-control. flow(l):ICMP2victim; 
flow(2):Unresponsive-Web; flow(3): Other legitimate flows 
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and malicious flows passes from the network nodes to a bottleneck node and 
reach the destination D2. Fig. 2 shows the output statistics at the bottleneck 
node output link, which demonstrates that, as the malicious flows (unresponsive 
web traffic and ICMP2victim traffic) increases their sending rates and reaches 
certain level, at about 1600 seconds, most legitimate flows starts to lose output 
bandwidth shares. This reflects a typical flooding N-DoS attack scenario. 



Table 2. Features for incoming flows. (Packet sizes in the table do not neeessarily 
represent accurate average values for specific protocols. Different sizes are ehosen to 
reflect their influences on outputs) 



Legitimate TCP-friendly Flows 





Web 


DNS 


SMTP 


NNTP 


FTP 


Telnet 


Packet Size (Bytes) 


600 


400 


1000 


700 


1500 


500 


Window Size (Bytes) 


65535 




Legitimate Non-TCP-Priendly Flows 


Real Player 


UDP-DNS 


ICMP 


Packet Size (Bytes) 


500 


400 


300 


Delay (sec/Bytes) 


0.08 


Malicious Flows 



Unresponsive Web Flow malicious ICMP Flows 



Packet Size (Bytes) 



400 



500 



Delay (sec/Bytes) 



Gradually decrease from 0.09 to 0.0004 



3.2 Alternative Scheduling Strategies 

Sect. 3.1 has demonstrated that the FIFO scheduling and RED buffer- 
management scheme is vulnerable to N-DoS attacks. This section discusses al- 
ternative scheduling schemes. Next section addresses buffer management issue. 
Priority Queuing (PQ) was designed to give mission-critical programs higher 
priority than less critical traffic. There are two problems with this scheme. First, 
as long as crackers can spoof the priority held, theft-service could occur, which 
results in DoS against legitimate users. Second, to assign priorities for all user 
flows in the open Internet is almost infeasible. 

Fair Queuing (FQ) restricts every host to an equal share of network bandwidth. 
Unfortunately, this scheme cannot guarantee fairness when network is under 
N-DoS attacks. Malicious flows will go unpunished because they will share the 
same bandwidth equally with legitimate flows. This scheme can not reflect the 
complexity of dynamic Internet traffic. 

Weighted Fair Queuing (WFQ) gives low-volume traffic flows preferential treat- 
ment and allows higher-volume traffic flows to obtain equity in the remaining 
amount of queuing capacity. This scheme itself is susceptible to N-DoS attacks. 
When attackers generate short flows, which happens often especially spoofed 
IP addresses are used, WFQ can in fact help N-DoS attackers by giving these 
low-volume flows preferential treatment. 
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Class-based-Queuing (CBQ) [FJ95] classifies incoming traffic into appropriate 
classes and then determine the bandwidth usage for each class. This concept 
has the flexibility to reflect the dynamic feature of Internet traffic and has the 
potential to react against flooding N-DoS attacks. CBQ is recommended as the 
skeleton of the scheduling scheme in the AFFC model proposed in Section 4. 

3.3 Existing Congestion Control Schemes in Network Nodes 

Congestion control in network nodes is also referred to as buffer management, 
which is responsible for packet dropping when congestion occurs. Drop-Tail (DT) 
sets a maximum length for each queue and accepts packets until maximum length 
is reached. It is known that DT can create a “full-queue” problem. It is vulner- 
able to N-DoS flooding attacks and is not recommended. 

Active Queue Management (AQM) concept manages buffers by setting two min- 
imum and maximum thresholds. One example is the RED, which cannot thwart 
destructive flooding N-DoS impacts as demonstrated in Sect. 3.1. 

3.4 Existing QoS Schemes 

There are two major QoS (Quality-of-Service) strategies being proposed- Dif- 
ferentiated Service (Diff-Serv) and Integrated Service (Int-Serv). 

Diff-Serv sets bits in an IP header field at network boundaries (autonomous 
system boundaries, internal administrative boundaries, or hosts). Diff-Serv is 
essentially a refined priority-scheduling model, which does not solve the hood- 
ing N-DoS problem. First, the priority setup is determined by boundaries or 
end-hosts. Policy setup only reflects a sender’s request not network conditions. 
Second, it is possible that crackers can manipulate the bits in ToS/IPv4 fields 
or TC/IPv6 fields resulting in theft-of-service, which leads to DoS to legitimate 
users. Notice in IPsec, these two fields are not included in cryptographic calcu- 
lations. Indeed, RFC 2475 [Bs98] has specified that a PHB (Per-Hop-Behavior) 
should include a section detailing the security implications and discussing how 
the proposed PHB group could be used in DoS attacks as well as detecting such 
attacks. Current Diff-Serv proposals leave the DoS problem unsolved. 

Int-Serv, as a model that predominantly focuses on real-time classes of ap- 
plications in order to provide guaranteed service for both delay and bandwidth, 
it does not address the issue on solving N-DoS. 

4 Anti-flooding Flow-Control Model in Network Nodes 

To defend against N-DoS attacks and guarantee the network resource availabil- 
ity, additional flow-control schemes need to be explored. This section presents 
an Anti-Flooding Flow-Control (AFFC) model deployed in network nodes to 
defend against flooding N-DoS attacks. There are four major components in the 
AFFC model: traffic classifier, dynamic buffer manager, packet scheduler, and 
early-traffic-regulation. The AFFC procedures target in finding traffic bahavior 
differences among harmful and normal flows, so as to thwart the destructive 
impact from flooding N-DoS attacks. 
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4.1 Traffic Classification 

A traffic classifier categories incoming flows into classes based on destination 
IP addresses (or destination IP address groups) and protocol types. It gener- 
ates a bandwidth baseline based on arrival-rate pattern for each flow class. The 
bandwidth baselines are used for scheduling and dynamic buffer management 
to determine the packet send-rates and drop-rates, which are triggered when 
potential congestion collapse is detected in bottleneck nodes. 

Even though Internet traffic patterns are exceedingly hard to characterize, 
diurnal patterns in certain focal points do exist [FP99]. Some studies have 
even demonstrated the existence of diurnal patterns in international backbones 
[TMW97]. We have performed some experiments and collected statistics locally, 
which proved the existence of diurnal traffic patterns. 

4.2 Dynamic Buffer Management 

Buffer management decides when to drop packets and in what dropping rates. 
In the AFFC model, elastic traffic and best-effort classes are treated separately. 

Elastic Traffic. In flooding N-DoS attacks, crackers often use spoofed IP ad- 
dresses, such as in SYN-fiood, ACK-fiood / mstream-attacks. Those attacks have 
one common characteristic - the malicious TCP flows are non-responsive to con- 
gestion signals. The harmful traffic if not behaves like constant-bit-rate (CBR) 
traffic, it will move in aggressive manners with faster arrival-rates, which is dis- 
tinguishable from the behaviors of legitimate elastic traffic. 

In the AFFC model, legitimate elastic flows are reserved based on the follow- 
ing observations. Theoretically, elastic flows follow the TCP-friendly behavior 
[FF99]: 

y<lV2/3^ 

- 

Where T(Bps) is the maximum sending rate for a TCP connection, i?(Bytes) is 
the number of packets sent, i?(seconds) is the minimum round trip time using 
that link, and p(Bps) is traffic drop rate. 

Equation (1) shows that, for legitimate TCP-adaptive flows, if the long-term 
packet drop rate of the connection increases by a factor of x, then the arrival 
rate from the source should decrease by a factor of roughly ^x. Notice that 
when network links are about to be saturated, the round-trip-time i? tends to 
approach constant. The change of R is then negligible. 

The dynamic buffer management in AFFC keeps a recyclable pool to record the 
responsive flows, which decrease-rates of their arrival-rates fall into the range 
of (1/a * 1) • The parameter a > 1 is added if we consider the impact of 

possible increase of round-trip-time R in Equation (1), when a network link is 
increasingly saturated. The flows in the reservoir are permitted to pass when 
traffic regulation is required and triggered by potential congestion collapse in 
bottleneck nodes. Other packets are dropped. The permission list is refreshed 
periodically. 
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Best-Effort Traffic. For best-effort traffic, which was designed not to respond 
congestion signals, the AFFC strategy is to regulate sending rate for harmful flow 
classes in times of potential congestion collapse under N-DoS attacks. Those at- 
tacks include UDP flood, ICMP flood, SMURF attacks, Fraggle Attacks, and so 
forth. 

When traffic regulation is needed, problematic flow classes will be singled out 
based in destination IP address (groups) and protocol types. First, for the harm- 
ful flows, packet drop rates will be regulated up to the bandwidth baselines col- 
lected from the traffic monitor and classifier. Second, if a potential congestion 
collapse situation in a bottleneck is not eased and the traffic regulation is still 
necessary, packet drop rates will be increased in responsive to halving packet 
sending-rates. 

The packet drop-rate regulation can be achieved by adjusting two buffer thresh- 
olds minThresh and maxThresh. 

Let dropRatio= = x*dropRatio, 

then 



{x — l)minThresh + maxThresh 
newmaxThresh = (2) 



During the course of traffic regulation, the outgoing bandwidth share Xout 
follows multiplicative decrease for each time interval At. 

The form of the multiplicative decrease is Xourit) = . The param- 

eter k is the decrease ratio for the outgoing rate Xout in the time frame At, 
used when a given flow’s arrival rate is faster than its bandwidth baseline. The 
k can be set to two to simulate the TCP congestion window algorithm. When 
the arrival rate is below the baseline while traffic regulation is still required, the 
factor k will decrease so that the sending rate will reduce at a slower rate. 

The output rate bound Xqut will resume to its original value when traffic 
regulation signaling stops. 

In order to keep balance in the queue Q, the incoming rate A/Ar(t) needs to be 
adjusted as A/Ar(t) = XouT{t) = Xo{t) — v{t), which yields. 



v{t) = Xo{t) - XiN{t) 



( 3 ) 



where XjN^t) is the incoming rate, Ao(t) is the raw incoming traffic rate, and 
u{t) is the drop-rate. 

The change factor x{t) of the drop rate v{t) is calculated as 



x{t) 



I’jt) 

v{t — At) 



( 4 ) 



Consider the time factor, equation (2) can be represented as 



newmaxThresh{t) 



[x(t) — 1] * minThresh{t — At) + maxThresh{t — At) 



x{t) 



( 5 ) 



Equation (3) to (5) demonstrate an approach to regulate incoming flows in re- 
sponse to flow arrival-rates Xo{t) and outgoing sending rates Xout{t) ■ 
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4.3 Scheduling 

The scheduling scheme in AFFC is a CBQ-based multi-queuing approach. 

First, classified traffic is put in multiple queues. 

Second, when traffic regulation is not required, each class of traffic uses up to the 
maximum bandwidth available. Flows are not restricted to bandwidth baselines. 
If potential congestion collapse is detected in a bottleneck node, traffic regulation 
is required. The dynamic buffer management is activated, as well as scheduling 
schemes. 

Scheduling schemes decide when to send packets and in what rates. In the AFFC 
model, for elastic traffic, flows in the permit list are forwarded in rates matching 
their arrival rates, which have already slowed down by sources in responsive to 
congestion signaling. 

For best-effort traffic, sending rates for harmful flows are restricted to their 
bandwidth baselines, and will decrease by a certain factor fc > 1 when congestion 
continues. The following algorithm demonstrates the rate control for harmful 
best-effort flows. All symbols used match those in Formula (1) to (5). 

Proc Rate-Control (AqutO, AqO, k, minThreshO, maxThreshO) { 

A = Aoc/rO/k; 

X = (AqO - X)/iy; 

maxThresh = ((x-l)*minThreshO -I- maxThreshO) / x; 
return (maxThresh); 

} 

4.4 Early Traffic Regulation 

Necessity of Early Traffic Regulation. The purpose of Early- Traffic- 
Regulation (ETR) is to throttle harmful traffic in network nodes prior to bot- 
tlenecks in order to avoid flooding N-DoS to cause congestion collapse. Without 
ETR, legitimate packets discarded in earlier network nodes cannot be saved in 
later nodes. 

In our experiment, with the scenario shown in Fig. I, if traffic regulation with the 
dynamic buffer management and scheduling are only applied on the bottleneck, 
the legitimate traffic outputs start to decline at about 1950 seconds. 

In order to effectively control traffic when a network is under hooding N-DoS 
attacks, AFFC includes a policy to deploy traffic regulation in reverse traffic 
paths starting from bottleneck nodes. 



Back Tracing. Traffic paths need to be determined in order to launch ETR. Us- 
ing extra ICMP back-tracing messages is promoted in AFFC. Itrace [BellovinOO] 
is such an example to perform back tracing. There are several advantages to use 
ICMP-based back tracing approaches. First, they do not require modification 
of IP headers. Second, they do not require routers to analyze each incoming 
packets as the Packet Marking and Sampling approach [SWKAOO] does. Third, 
They do not require ISP administrators to interfere or manually perform login 
processes as the hop-by-hop back-tracing [Cisco] does. Finally, they do not rely 
on the existence of IPsec as the IPsec-based strategy [CWSWOO] does. 
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Assume a tracing packet needs to pass n routers > > R\ 

to reach its destination node. Also, assume Pd\Ri\ is the packet-drop probability 
for the network node Ri, and Pd\Ri] = Pd- For a network node Ri, an ICMP 
trace-back message must pass through a number of i other network nodes to 
reach its destination. The survival probability is: Ps[i] = (1 ~ PdY- 
A total of n messages have to successfully arrive the destination in order to 
rebuild a path. For the n independent routers, the probability of successfully 
receiving the n messages is: 

Ps = (1 - Pd)” * (1 - Pd)”"^ * (1 - Pd)”"^ * • • • * (1 - = (1 - Pd) ^ 

Assume it needs k sending times for a back-tracing message to reach the desti- 
nation. The expectation of the mean sending-times becomes: 

E[k{pd,n)] = — = (1 -pd)"T 
Ps 

The number of average sending times E[k{pd-, n)] decreases exponentially as drop- 
probability pd decreases for a given hop number n. When n = 4, Pd = 10, 
E[k{pd,n)] ~ 1.2 , which survivability is acceptable for back tracing messages 
and ETR signaling. 

4.5 Performance and Cost 

Fig. 3 demonstrated AFFC performance with the four steps applied - traffic 
classification, dynamic buffer management, scheduling, and ETR. In contrast to 
Fig. 2 where AFFC was not used and the scenario where AFFC was only applied 
on the bottleneck node, legitimate flows keep having bandwidth availability and 
their services do not collapse when malicious traffic increase their sending rates. 
In a bottleneck node, AFFC functions include traffic pattern recognition, buffer 
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Fig. 3. AFFC performance 



management, scheduling, back-tracing path information retrieving from end- 
users, and ETR signaling to network nodes prior to the bottleneck along traffic 
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paths. The memory requirement is 0(7*N*M*K*B). N represents the number of 
diurnal time zones segmented in each day, M represents the number of protocol 
to be classified, K is the number of continuous weeks to trace and reshape traffic 
patterns, and B is number of bytes to store each bandwidth baseline. The major 
computational overhead is from scheduling, which is O(lgC), where C is the 
number of classes. 

AFFC in network nodes in back-tracing paths performs traffic pattern recog- 
nition, active buffer management, scheduling, and ETR signal responding. The 
overall computational overhead is 0{lgC) , where C is the number of classes; 
and the memory requirement is the same as that of the bottleneck node. For 
ETR purpose, it is recommended to put a mission critical node behind certain 
layers of network-node shield, which domain owner has control over wtih. 

The cost analysis above assumes all AFFC components are implemented in one 
piece. In practice, the buffer managment and scheduling in AFFC can either be 
implemented to replace the FIFO/RED model, or be implemented as a separate 
filtering module beneath FIFO/RED or any other existing buffer management 
and scheduling schemes in a network node. The traffic monitoring can be in a 
passive mode functioning in a separate hardware to alleviate the computational 
burden on network nodes. 

5 Conclusion 

The continuous success of N-DoS attacks has exposed the vulnerabilities and 
flaws in Internet protocol designs and implementations, as well as those in the 
Internet infrastructure. Those attacks can be categorized based on attack symp- 
toms and protocol types. 

The AFFC model presented in this paper is a flow-control-based defense scheme 
to defend against flooding N-DoS attacks. Experiments have demonstrated the 
effectiveness of this model to alleviate destructive impacts by harmful flooding 
N-DoS flows. Computational and memory cost is proportional to the number of 
flow classes. These overheads can be shifted from network nodes by implement- 
ing some AFFC components in separate hardware. 

N-DoS attacks have exposed overall insufficient security and reliability on the 
Internet, defense efforts need to be made by all parties in the Internet commu- 
nity. 
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Abstract. Access control is concerned with limiting the activity of legitimate 
users in an application. Role-based access control (RBAC) uses role to 
indirectly describe the access rights. This indirectly mapping is very flexible. 
However, current RBAC models are not suitable to describe fine-grained access 
control for data-centric enterprise applications. In this paper, we present a 
pragmatic role-based access control model for data-centric application. The 
access control is fine-grained and flexible. An object-oriented implementation 
is also presented. Users are identified by digital certificates. The proposed 
model is designed for three-tier enterprise application. 



1 Introduction 

Access control is concerned with limiting the activity of legitimate users in a system. 
It is an important technique to achieve both confidentiality and integrity. 
Traditionally, security takes more concerns about the information flows than access 
control. However, as more and more distributed objects(components) are deployed in 
the network, especially Internet, access control has become a very important area of 
system security. As the architecture and development technologies of distributed 
information system evolve, how to use and adapt the available access control 
technologies with the new architecture environments, for example, the three-tier 
network computing and component-based system, have become one of the main 
focuses in this area. 

Many enterprise applications adopt the three-tier architecture. The clients provide 
graphical user interfaces to gather user inputs. One or more databases store the 
application states at the back-end. The application server is stateless. It provides 
computing services based on the parameters of client requests and the current state of 
the database. Database-based access control can only control the access to data. 
Control of complex operations on the data is beyond the ability of the database. 
Furthermore, database-based control model is not suitable for applications which have 
a large number of users. Fine-grained access control must be implemented on the 
application server. 

Traditional access control models, such as access control list (ACL), are difficult to 
maintain, when the user number increases. Since middle last decade, role-based 
access control model (RBAC) [1] [2] [3] has attracted both researcher and developers. 
RBAC is very flexible to describe operative permissions and easy to adopt large 
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number of users. However, there is no suitable model to describe fine-grained access 
control for data-centric enterprise applications, which involve many database 
operations. 

In this paper, we will present an extended RBAC access control model for three-tier 
enterprise applications. The object-oriented implementation is also presented. The 
paper is structured as followings. The system architecture, a three-tier model, will be 
described at first. The problems and requirements will be discussed in section 3. 
Section 4 gives the system security architecture. The access control model is 
described in section 5. Section 6 discusses some issues about authorization 
administration. Section 7 summarizes the model and gives a glance of future work. 



2 A Three-Tier Model 

We consider distributed systems to be composed of a set of distributed components 
(objects). The client is thin, since it implements “thin” functionality. It provides user 
interfaces to users and the necessary modules to access the application server. The 
application server implements the bulk of business logic and functionality. One or 
more database servers run at the back-end to store and manage data - the state of the 
entire application. 



Firewall Firewall 




Fig. 1. Typical three-tier system 



The architecture of typical three-tier systems is illustrated by Fig. 1. There is usually 
at least one firewall [8] between client(s) and the application server. These clients 
access the application server through a middleware, such as Java RMI [10] or 
CORBA ORB [11]. Clients can not communicate directly with the database, only 
through the application server. No backward invocation (callback) is allowed. This 
restriction is very practical. We have experience of a running application which has 2 
to 5 firewalls between clients and server. Firewall administrators are usually reluctant 
to open backward ports. 

The application server accesses the database using standard database connectivity, 
such as ODBC (open database connectivity) or JDBC [12]. Transaction coordination 
uses standard methods provided by database connectivity. Optionally, there is a 
firewall between the application server and the database. 

The model follows the strict client/server paradigm, i.e. the clients call services 
provided by the application server. Interaction between clients is not allowed. The 
application server is stateless. All application states are stored in database. The 
computing result of every request is calculated depending on the parameter sent with 
the request and the current state in database. However, the behavior of the application 
is not deterministic. For example, the same payment may result in a different balance 
if it is issued at different time. 
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3 Requirements and Problems 

The challenge to develop a suitable access control model comes from two aspects: the 
structure of enterprise organization and the properties of permissions. 

The organizational strnctnre decides the user structure of the system. A user’s 
position in this structure decides his/her access rights in the system. In the Role-Based 
Access Control Model (RBAC) [1] [2] [3], the role is used as a semantic construct to 
model what an individual user takes on as a part of the organization, i.e. his job 
function within the organization that describes the authority and responsibility. 
Access rights are associated with a role, not directly with a particular user. This 
indirect mapping makes the RBAC very flexible [1]. 

In most organizations, roles have a nature hierarchy [1] [4]. The hierarchical role 
model (RBACj in [1]) makes it easy to define a policy and implement access control. 
The role hierarchy is not always consistent with the organizational hierarchy of the 
enterprise. An organization may have some strong autonomic sections, which have 
more rights than the one above them. 

The characteristic of permissions depends largely on the system type and its 
implementation. Permissions can not be treated as simple symbols like that in some 
general access-control model. 

For well modeled objects, their permissions have clear definitions. For example, a 
Unix file has 3 permissions: read, write, and execute. Permissions of Enterprise 
Applications are defined first of all by their functionality. The functionality in turn is 
decided by the business logic to be implemented. For component-based systems, 
business logic is implemented as an independent component. This means, a 
component implements a particular business logic, which defines its own permissions. 
Some components may be developed by different development teams or even by 
different component vendors. A general permission model is required but difficult. 
Let's see the characteristic of components. In this paper, a component is considered as 
an independent software unit, it has one or more interfaces which can be accessed by 
other components or programs. Each interface is composed of at least one operation. 
From this viewpoint, permissions of a component can be defined as a union of 
interface(s) and/or operation(s). 

A component has not only interfaces and operations, it must access data in a database. 
In three-tier systems, components on the application server access the data in the 
database in the third tier to perform their business logic. It is the component which 
accesses the database, not the user! This means a database can only identify which 
component is accessing it, not which user. Usually, an application server uses a single 
account (user ID/password) to access a database. Access control mechanism provided 
by the database can not be applied to the users on client sides. Therefore, the 
application server is obligated to check whether a user may access a table, a record, 
and even a column in the database. In other words, access control of data must be 
carried out in the components running on the application server. 

In addition, access control of databases is usually coarse-grained. Permissions of a 
database are difficult to be defined on record level. 

In summary, permissions for enterprise applications can be categorized into two 
groups: action (operation) and data. Operational permissions are usually easy to be 
associated with roles. For example, a role ‘secretary’ can issue payments and check 
balances. Such operational permissions can be easily modeled in user-neutral way. To 
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model permissions for data access is difficult. For example, a secretary can only issue 
a payment against a fund/project of his/her institute or research group. Such 
permissions are directly associated with users. 

Another problem for enterprise applications is the continuous evolution of the 
business logic. Access control or the access control policy are part of the business 
logic. Access control model must be able to adopt such evolution, i.e. flexible to 
adopt new business logic or its changing. 

The aforementioned problems are addressed from two sides: the system security 
architecture, and domain concept to model data permissions. 



4 System Security Architecture 

The system security architecture is given in Fig. 2. Firewalls [8] are used to restrict 
unwanted network access to the system. Every user must have a digital certificate 
issued by a certificate authority (CA) [7]. A user usually has only one ID certificate. 



Client 




AoDlication 

Server 




Database 




Fig. 2. System security architecture 

When a user tries to log on to the system, its ID certificate will be validated. Without 
a valid ID certificate, a user can not log on to the system. 

A Client communicates with a server component through secure middleware. The 
secure middleware provides three services. The first one is that it provides an object- 
oriented invocation model. The second is a secure communication channel, data 
flowing in this channel is encrypted. And finally, the secure middleware provides the 
ID certificate information to server components, such as who is currently the caller of 
an operation. 

The underlying transport uses the transport layer security protocol (TLS 1.0) 
[6],which is an extension of the secure socket layer protocol (SSL 3.0) [5]. 

Every operation is logged in a log file, which is carried out by the ExportManger. 
Each log item contains the following information: ID of the certificate, user name, 
referenced component and its operation, the incoming time (and date) and response 
time. Analyses of the log (auditing) is carried out offline [9]. 

Besides the entry control by login, every invocation to server components is 
controlled. Every component has its own access control (a sub-component). In this 
access control model, a component is the real entity which interprets and carries out 
the access control polices. The details will be discussed in the next section. 
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5 Role and Permission Models 

5.1 Role and Permissions 

The model is illustrated by Fig. 3. As defined in [1] and [2], a role represents a 
collection of job functions in a commercial and government enterprise. A role 
describes the authority and responsibility. A role is associated with a number of 
operations allowed. A user may belong to multiple roles. 




Fig. 3. An extended RBAC model for data-centric enterprise applications 

A user establishes sessions during which she/he may activate a subset of the roles 
she/he belongs to. Each session maps one user to possible many roles. Each session is 
associated with a single user. In our model, every user must hold a recognized digital 
certificate. A user is identified by his certificate. 

Domain concept is used to model data permission. Data permission is concerned with 
defining data areas accessible to a particular user. A domain is a set of records and/or 
tables in a database. Usually, data of enterprise databases are well structured. A 
domain can be identified by some key attributes. For example, every record in a 
database is usually labeled by the ID of who has inserted it; this label can be used as 
key attributed to identify the domain: all records inserted by that user. 

A user usually has his accessible domain(s). For example, the chef and the secretary 
of the distributed computing research group of a computer engineering department 
should have the right to access financial data of that group. A usual faculty member, 
can only access the financial data about his research projects. The chef and the 
secretary have a larger domain, the faculty member has a smaller one. For example, 
the domain of all projects of the distributed computing research group can be easily 
identified by two keys: the name of the department (computer engineering) and the 
name of the research group (distributed computing). The domain for the faculty 
member is only the project. It can be identified by the name of the department, the 
name of the research group, and the name of the project (e.g. CCR 9810116). 
Operational permissions are used to model actions. In component-based systems, 
operations are implemented by interfaces. Permissions include interfaces and 
components itself. A component is considered an executive object. All operations 
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provided by a component are the component itself. This means, if a user or a role is 
not allowed to access a component, the user can not access any operation of that 
component. 

Permissions are comprised of two independent parts, domains and operations. An 
empty domain is acceptable. The rationale is that some functions have no domain in 
the central database, an example is the administrative function of the application 
server. In practice, some components in the system can be accessed by everyone, who 
is admitted to the system. Such components are called no secure components. 

A role is used to reflect the access rights and privileges in a software system. A role is 
different with an organizational role, such as chef faculty member, and secretary. 
Organizational roles may be reflected by access control roles, but are not always 
coincided with them. For example, an organizational role, at a higher position, does 
not always imply, that it has more access rights in an information system than another 
organizational role in a lower position. However, it is very common in practice, that 
organization roles should be reflected in the enterprise application. Therefore, we will 
not distinguish both roles in the following discussions. 

Each roles has associated domain(s), these domain(s) are accessible by the operations 
associated with that role. 

User assignment (UA) is a relation between user and role, and the relation between 
user and domain. The role and domain is associated through the relation role-domain. 
During a session, a user may activate a subset of the roles he belongs to. Permissions 
granted to a user are a union of operations associated with the roles. Each role has its 
own accessible domain. This is the central point of our access control model. Roles 
are generally defined. Multiple roles can be assigned to a user. Domain is user 
specific, therefore, it is directly assigned to a user. Domain and role are further 
associated with each other. 

Components are the real entities who interpret and carry out access control policies. A 
component opens one or more interfaces to a client. These interfaces are comprised of 
several operations. Therefore, it is very difficult to define a general scheme, with 
which the security administrator can configure the access control policy of every 
component from outside. This is especially the case, when considering that the 
interface of a component is under evolution and may be changed very often. 

The access control policy is strongly associated with the structure of a organization, 
which is usually relative stable. If the structure and organization is changed, the 
component must also be changed. Therefore, letting the component interpret the 
access control policies is a reasonable decision. 

To carry out the access control policy, a component must do the following checks. 
First, the component decides whether one (or more) of these roles is acceptable by the 
invoked operation (interface, component), since every session may have more than 
one activated role. If none of the roles is acceptable, this session is rejected. For 
acceptable invocation, the component checks whether the accessing domain of the 
invocation is in the domain associated with that role. If the accessing domain of the 
current session is not in that domain, the session is rejected. 

Here we come to a very important point. The component checks every permission 
according to the underline user (user ID) of the invocation. This rule guarantees that 
the access control is applied to the user, who has initiated the reference, even a 
component is referenced indirectly. 
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5.2 Object Representation of Role 

It is very common that there are over thousand users in an organization but only a few 
different roles. The concept of role makes it easy to define an access control policy 
and then assign access rights to an individual user. When a user is admitted to access 
the information system, one or some roles are assigned to that user. 

Roles may have overlapping responsibilities. In many organizations, there are a 
number of general operations or functions that can be performed by many members. It 
is inefficient and administratively cumbersome to specify repeatedly such operations 
for each role. To improve efficiency, RBAC uses role hierarchy to model such 
relationship (RBACj in [1]). A role hierarchy defines roles that have unique attributes 
and that may contain other roles. That is, one role may implicitly include the 
permissions that are associated with another role. 

To efficiently implement a role and its hierarchy, we use an object to represent a role. 
The idea is that each role is represented by an object, or more precisely a class. A 
domain is also represented by an object. The relationship between role and domain is 
represented by an association between role and domain. 

According to the principle of objects, the sub-class is a extended class of its super- 
class. The role hierarchy is reflected by the class hierarchy. Therefore, a sub-class has 
all access rights of the role represented by its super-class. 

To illustrate the concept, we will give the role model of an example application For 
the sake of simplicity, only four roles are illustrated. They are system administrator, 
signer, evaluator, and booker. 

The role evaluator has the right to check the balance and performance of a particular 
department, division, or project. The role booker has the right to issue a payment. It 
has also the right of the role evaluator. The role signer is recognized to be able to sign 
a payment. Only signed payments are valid and can be transferred to the bank. 

The role administrator has the right to configure the system profile and do user 
assignment, i.e. assigning particular role(s) and domain(s) to a user. 




Fig. 4. An example UML model of roles 

Fig. 4. illustrates the UML model of these roles. Class Role is an abstract class. It is 
associated with class Domains, which is a collection of multiple domains and will be 
discussed in the next section. Evaluator, Signer, and Administrator are sub-classes of 
the class Role. They represent the roles evaluator, signer, and administrator described 
above, respectively. 








A Role-Based Access Control Model and Implementation 



323 



Class Booker represents the role booker, which includes the rights of role evaluator. 
This hierarchical relationship is reflected by modeling class Booker as a sub-class of 
class Evaluator. 

Class Roles is a set of Role instances. For example, an instance of Roles can be used 
to represent all possible roles which a user may belong to. 

As described in the previous section, each component must check whether an access 
is allowed. For simplicity, we suppose that a component only accepts one role. The 
role checking procedure is simplified as following: after receiving an invocation, a 
component asks the framework who is the user and which roles he/she belongs to. 
The framework returns an instance of Roles. The component then invokes the 
Roles. contains(acceptableRole) to check whether the user belongs to the 
acceptableRole. If false, the invocation is rejected, otherwise, the invocation will be 
proceeded. 

This model has greatly simplified the role checking procedure. A Java 
implementation is given in Fig. 5. This algorithm ensures the maximal rights of the 
user. For example, if a user has the role booker, the rights of booker are ensured. 
Using the basic reflection technique, no role name appears in Fig. 5. The checking 
procedure can be simply extended to accept a list of Role. In this case, a component 
needs only know which roles are acceptable by maintaining a list of Role instances. 
This model is very flexible, especially when a role needs to be changed or a new role 
is introduced. During compilation, the compiler can easily check whether the 
acceptable Role list of a component is valid. For example, if a role is removed from 
the system, the developer simply deletes its class file. The compiler will do further 
works for you. 



In this example, the security manager of the enterprise should be assigned the role 
administrator. The director of a research group can have the role evaluator. A 
secretary can play the role booker. 

Signer is a special role. The background is the concept of digital signature. A user 
with role booker can issue a payment, this payment can take into effect only when it is 
signed. Signer represents the role who has the right to sign a record(payment) in 
database. 

In the above example, the term constraint is already illustrated implicitly. Some roles 
can not be assigned to one user simultaneously. In Fig. 4., Roles is used to represent a 
group of roles, which is assigned to a user. Some constraints can be validated when a 
Role is added into Roles. 

Some constraint, such as "a signer can not sign for himself, can only be implemented 
in the signature component which signs a record in the database. When it receives a 
signature request, the signature component will validate the signer according to the 



public boolean contains(Domain d){ 
Iterator ds = domains. iterator(); 
Domain cd; 
while( ds.hasNextO ){ 
cd = (Domain)ds.next(); 
if( cd.contains(d)) return true; 

} 

return false; 

} 



Fig. 6. Checking domain access 



public boolean contains(Role r){ 

Iterator iter = roles. iterator{); 

Role cr; 

while( iter.hasNextO ){ 
cr = (Role)iter.next(); 
if( r.getClass().islnstance(cr)) return true; 

} 

return false; 

} 



Fig. 5. Role checking 
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user id, if the user is the same person who has issued the payment, the request is 
rejected. It ought to be mentioned that only users who belong to signer can invoke the 
signature component. 

5.3 A Pragmatic Domain Model 

Fig. 7. depicts a pragmatic domain model to represent the domain with objects. It 
gives an example of three key attributes, Department, Division, and Library. Domains 
can be independent or hierarchical with arbitrary levels. 




Fig. 7. Domain representation 



Class Domain in this model is identified by the name and its value of a key attribute 
in a table of the database. For example, an instance of Department with value 
"computer engineering" will represent the domain department of computer science; an 
instance of Library with value "University of Karlsruhe" will represent the central 
library of the university of Karlsruhe. Since a division is usually in an organization 
hierarchy, the division of distributed computing can be considered as a domain only 
when it is placed under a department, e.g. an instance of Department with value 
“computer engineering”. 

Every key attribute is represented by a class, a static name is used to represent the 
name of that attribute. 

Hierarchical key attributes are modeled in a chain of classes. Fig. 7. depicts a two 
level hierarchy. The Department with name "DEPARTMENT" is above Division with 
name "DIVISION". Department has always an empty super-domain, it is at the 
highest level in our example. Division at the lowest level can not exist independently. 
This is safeguarded by the constructor, which requires an instance of Department by 
construction. Division has empty sub-domain, because it is in the lowest level. 

An instance of Domains can contain multiple Domain instances with the same and/or 
different types. It is a container of Domain instances, and is similar to a mathematical 
set. Two methods, equal and contains, are defined as followings, which are significant 
for access control. 

An instance dl of a Domain is equal to another one d2, if and only if: 

(dl.name = dZ.name) a (dl. value = d2. value). 

An instance dl of a Domain is said containing another one d2, if: 

(dl =d2)v (dl =)d2). 
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For example, an instance of Department with empty sub-domain includes every 
Division instances created under that department. An instance of Domain can not 
include another one if they are not in the same hierarchy. How to decide dl a d2 is 
defined by a particular Domain. 

Fig. 7. depicts only a hierarchical Domain with two levers. However, it should be 
clear that the model is valid for multi-level hierarchy. 

Role is associated with the Domains. This Domains restricts the data area accessible 
to the role. However, Domains is directly assigned to users not to Role. 

Control of the domain access is applied to every invocation. For simplicity, we 
suppose that every invocation referencing to a particular domain, which can be 
formed as a single instance of Domain. The component will build this instance 
according to the input. The access control model will ask the framework about the 
user ID and which roles he/she belongs to. The framework returns an instance of 
Roles. The component further retrieves which role is currently valid and its associated 
Domains instance ds. It invokes the ds.contains(referencedDomain) to check whether 
the user’s referencedDomain is accessible. If false, the invocation is rejected, 
otherwise, the invocation will be proceeded. The implementation of the 
contains(domain) method is given in Fig. 6. 

As indicated in Fig. 7., every Domain must implement the method contsamiDomain 
d), since only the Domain itself knows its properties, such as the position in the 
domain hierarchy. The advantage of the design is that it makes the domain access 
control simple and needs not to be modified to adopt the changes of a particular 
Domain. 

5.4 Constraints 

There are generally two kinds of constraints: role constraints and user constraints. 
Constraints are implemented at three different levels: component, class Roles (belong 
to the framework), and authorization administration. 

Role constraints: in many applications some roles are considered to be mutually 
exclusive for purpose of duty which is defined by the business logic. In the example 
given in the previous section, administrator and booker are mutually exclusive roles. 
As indicated in the previous section, some components may have embedded access to 
the control policy, such as that "a signer is not allowed to approve a payment for 
himself. Such constraints are implemented by the component itself. Not all 
components implement constraints. 

The role container Roles plays an important role to implement constraints. It will 
check acceptableness when a new role is added to it. If the new role is mutually 
exclusive with any one already in the container, it is rejected. 

User constraints take concerns about which users can belong to a particular role. It is 
an organizational issue and will be handled by authorization administration. 



6 Authorization Administration 



User assignment is considered two maps: user-role and user-domain. In our model, 
user assignment is entirely centralized and restricted to being defined by 
administration officer(s) and executed by a security administrator. The advantage of 
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the centralized approach is the centralization of responsibility. For three-tier systems, 
it is also the natural requirement that both, user assignment and authorization 
administration, are centralized on the server side. 

There is an authorization database at the back-end. This database stores all 
information about the users and their assigned role(s) and domain(s). The application 
server accesses the database through an authority interface, which is provided by the 
security framework. This authority interface is shown in Fig. 8. User information 
indicates the user’s name, address, e-mail, etc. 



public interface Authority { 

// returns all roles the given user ID can play, 
public Roles getRoles(String userlD); 

// returns user information of the given user ID. 
public Userinfo getUserlnfo(String userlD); 

j 

Fig. 8. The authority interface 

The application server obtains the user ID from the underlying middleware. The 
middleware, retrieves the user ID from the user’s certificate. 

There are three important aspects of user assignment. The first is role constraints. The 
authority administration implements the role constraints described in the previous 
section to ensure better security. 

The second aspect is user constraints. A secretary can not be enrolled as an 
administrator. This aspect is difficult to guarantee because it is difficult to be formally 
described. There is no suitable way for the software to identify the organizational 
position of a user. The security manager and/or administrator must take the 
responsibility. 

The third aspect is concerned with domain assignment. Comparing with role 
assignment, domain assignment should receive more attention. There are usually a 
small number of roles. The number of domains may be huge if not uncountable. There 
are two rules. The first is that most of the domains assigned to a user are mutually 
exclusive with the domains assigned to a user from another division or department. 
The second rule is that security administrator should have general understanding on 
the underlying database. Most enterprise databases are well designed to reflect the 
enterprise structure. Every key attribute has clear business meaning. They are very 
easy to grasp if one works within that organization. 

User assignment is a part of the entire security administration. There are many other 
aspects, for example, user management and digital certificate management. 
Consistency between these is significant for a secure system. It is beyond the scope of 
this works and will not be discussed in detail. 



7 Conclusions 



In this paper, we have presented a role-based access control model for three-tier 
enterprise applications. The basic role-based access control model is extended to meet 
the requirements of data-centric applications. One of the important features is the 
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novel permission model. The domain concept is introduced to provide fine-grained 
permissions. Access control can be applied to every row in the database. 

The new access control model is implemented on the application server. The 
application server uses only one or a few database account(s) to access the database. 
Access control on the application server and the database are separated. This makes 
the system administration simple and flexible. 

Another feature is that both, role and domain, are represented by objects. Object 
hierarchy is used to reflect the role hierarchy. Role evolution is very simple. The 
model is simple to be implemented as common facility using object-oriented 
framework techniques. 

The proposed model has been implemented in Java. It has been integrated as part of a 
component-based framework. The framework has extended the access control to 
client side. A financial control and management system for state universities in 
Germany is developed based on this framework. The application has been used by 
two universities. 

Future work will concentrate on two issues. The first is to integrate the digital 
certificate and user management. Currently, they are managed separately. This has 
caused some consistency problems in the system. Another issue is to implement 
constraints. A new constraint model is required to be able to describe complex 
constraints on role and domain. 
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Abstract. Firewalls offer a protection for private networks against ex- 
ternal attacks. However, configuring firewalls correctly is a difficult task. 
There are two main reasons. One is that the effects of a firewall configu- 
ration cannot be easily seen during the configuration time. Another one 
is the lack of guidance to help configuring firewalls. In this paper, we 
propose a general and unified methodology for the verification and the 
synthesis of firewall configurations. Our verification methodology offers 
a way to foresee and analyze effects of firewafl configurations during the 
configuration time. Furthermore, our synthesis methodology can gener- 
ate firewall configurations that satisfies users’ requirements. As a result, 
firewall configurations that are free of many kinds of errors and loopholes 
can be obtained easily. 



1 Introduction 

Nowadays, firewalls (e.g.[l,2]) become a widely used mechanism to achieve In- 
ternet security. Most, if not all, organizations whose computers have an Internet 
access are currently using firewalls. Firewalls locate between an internal network 
and an external network. Firewalls offer a protection for private (and internal) 
networks against external threats. In particular, firewalls ensure that only au- 
thorized information flows between internal networks and the external network 
are allowed. 

Even though firewalls could provide protections against external attacks, 
configuring firewalls correctly is a difficult task. There are two main reasons. 
One is that the effects of a firewall configuration cannot be easily seen during 
the configuration time. Another one is the lack of guidance to help configuring 
firewalls. 

Since the effects of a firewall configuration cannot be seen at the configuration 
time, many firewall configurations often have errors and loopholes. Most often, 
such errors and loopholes are discovered only after they actually happen at the 
execution time. This causes great damage to the system. 

Due to the lack of guidance to help configuring firewalls, to configure them 
requires a great deal of experience which is certainly not available to novice 
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administrators. Moreover, configuring firewalls can be a complex and time- con- 
suming task due to the large number of host computers, required services and 
firewalls. Furthermore, the networks of computers in any organizations are al- 
ways changed due to the change of the structure of organizations themselves 
and the replacement for new equipment. Most often a change of such networks 
requires a new firewall configuration. Thus, this worsens the situation. 

We argue that all these problems occur because of the lack of firewall method- 
ology to analyze the effects of firewall configurations, and to help configuring fire- 
walls. In this paper, we propose a general and unified methodology for verifying 
and synthesizing firewall configurations. 

In [3], we proposed a graph-based model and its methodology to analyze 
effects of Cisco firewall configurations. In this paper, we extend the model and 
the methodology there in several aspects. Firstly, we extend the model to be able 
to deal with both the verification and the synthesis within the same framework. 
Secondly, we define the notion of correctness of firewall configurations in the 
context of several kinds of policies whereas [3] deals with one kind of policy only. 
Those polices are useful not only for the verification but also for the synthesis. 
Furthermore, we show here that our model is general in that it can be used to 
analyze effects of Firewall-1 configurations also, not just Cisco firewalls. 

Our approach is novel in that it is formal and it combines both verification 
and synthesis within the same framework. We show that our approach is more 
general than existing related approaches. Furthermore, we obtain the correctness 
justification and proof for the verification and the synthesis, respectively. 

We discuss the background in section 2, and present our model in section 
3. Our verification and synthesis methodology is discussed in section 4 and 5, 
respectively. The correctness of our methodology is discussed in section 6, related 
works are discussed in section 7 and conclusion is given in section 8. 

2 Background 

2.1 Firewall-1 Firewalls 

Firewall-1 firewall is a software-based firewall since it is a computer installed 
software for filtering packets. 

Definition 1. Firewall- 1 rules are represented by tuple (SFR, SPR) where SFR 
stands for a set of filtering rules and SPR stands for a set of firewall property 
rules. 

Definition 2. A firewall-1 filtering rule consists of the following : (Source, Des- 
tination, Service, Action, Activating FW objects) where 

- Source and Destination stand for senders’ IP addresses and receivers’ IP ad- 
dresses, respectively, 

- Service consists of a protocol and a port, 

- Action stands for whether flow from Source to Destination is allowed or not, 
i.e. (permit or drop), and 

- Activating FW objects stand for names representing firewall objects which per- 
form the filtering of the flow of packets. 
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Intuitively, a filtering rule defines the permission or prohibition of flows from 
Source to Destination via Activating FW Objects for Service. Note that any can 
be used to specify sources and/or destinations and it means any IP address. 

A Firewall- 1 property rule defines not only a set of interfaces of a firewall 
object, but also the direction of the filtering of the flow of packets at all interfaces 
of the firewall object. Note that the direction is defined for all interfaces of a 
firewall. Moreover, all interfaces of a Firewall-1 firewall object enforce the same 
set of filtering rules. 

Definition 3. A firewall property rule for firewall- 1 is defined by (FW object, 
Interfaces, Direction), where 

- FW object stands for a name representing a firewall object, 

- Interfaces stands for a set of all interfaces of FW object, and 

- Direction stands for the direction of packet filtering, i.e. (in or out). 



3 Our Model 



Our model is based on graph theory (e.g. [4]). In particular, network topology can 
be represented by a graph. Then, we argue that a firewall configuration rule can 
be understood as a set of paths in the graph. By treating firewall configuration 
rules as paths, we can reason about the verification and the synthesis of firewall 
rules intuitively and easily. 

First, we propose a general form of firewall rules, called generalized firewall 
rules as a representation of firewall rules which will be used for the verification 
and the synthesis. We shall show that Firewall-1 rules can be converted into 
our generalized firewall rules. The following shows the definition of generalized 
firewall rules. 

Definition 4. A generalized firewall rule consists of the following : (Source, Des- 
tination, Service, Direction, Action, FW Interfaces) where 

- Source, Destination, Service, Action are identical to those defined for Firewall- 
1 rules, 

- Direction means similarly to that in Firewall-1 rule, but it can be inbound, 
outbound or both (bound), and 

- FW Interfaces stand for a set of firewall interfaces which perform (or activate) 
the filtering of the flow. 

Note that the direction both means that packet filtering is performed in both 
directions at specified firewall interfaces. In particular, both is defined by both 
inbound and outbound. Such a rule with both directions is useful for the synthesis 
of firewall rules in the context of either closed or open policies which will be 
discussed later. 

The conversion from Firewall-1 rules to our generalized firewall rules is 
straightforward, and is shown by the following definition. The resultant gen- 
eralized firewall rules preserve the order of filtering rules in firewall- 1 rules. 
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Definitions. Given tuple (SFR, SPR) of firewall- 1 rules, for each filtering 
rule FR G SFR and for each firewall property rule PR G SPR of which its FW 
object appears in Activating FW objects of FR, we can obtain the corresponding 
generalized firewall rule GR in that 

- Source, Destination, Service and Action in GR are Source, Destination, Service 
and Action in FR, respectively, and 

- Direction and FW Interfaces in GR are Direction and Interfaces in PR, re- 
spectively. 

The following shows the definition of logical network topology. Our logical 
network topology can capture the ability of sending packets between two parties 
in the physical network topology. 

Definition 6. The network topology is a labeled and undirected graph (V,E) 
where a vertex in V stands for a set of IP addresses, and an edge between two 
vertices stands for a communication link between two sets of IP addresses. 

Indeed, the set V of vertices is defined by the power set of the set of all valid 
IP addresses. Hence, a vertex is represented by the set of IP addresses that the 
vertex stands for. An edge between two vertices means that an IP address in the 
former vertex can send a packet (or information) to another IP address in the 
latter vertex. 

For the internal network, a vertex is represented by a set of a single IP 
address. Such a vertex intuitively stands for an interface to either a computer 
or a network device. For the external network, there is a special vertex called all 
standing for a set of all valid IP addresses. In particular, all = { x \ x is a valid 
IP address}. 

It is required that all firewall interfaces appearing in generalized firewall rules 
must be present as vertices in the network topology. 

Example 1. Physical Network Topology 




In figure I, R1 and R2 represent two firewall objects, hi, h2, hS and hj stand 
for host computers, ipl, ip2, ..., iplOdenote IP addresses. In particular, ipl, ip2, 
ip3, ip4 are IP addresses of four firewall interfaces of firewall object Rl. ip7, ip8. 
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ip 9 and ip 10 are IP addresses of interfaces of host computers hi, h2, hS and h4, 
respectively. It is easy to represent this topology using our definition of logical 
network topology. This network topology will be used as examples throughout 
this paper. 

It should be noted that the connections between all firewall interfaces (e.g. 
ipl, ip2, ip3 and ip4) of firewall object R1 are determined by a routing table. 
For convenience here, we assume that such information is present. Any paths 
passing through those firewall interfaces can be determined, and they visit only 
necessary firewall interfaces that perform the actual packet filtering. 

Since an edge between two vertices represents an ability of sending a packet, 
the edge is closed under the membership of its vertices. This is expressed by the 
following definition. 

Definition 7. The logical network topology has the following properties: 

1 ) 'iu,v,vl,v2 G VfvlCvAv2CvAvlr\v2 = ^Avl^^Av2^<l)^ 

3cGE (f(e) = {u, v}) ^ 3el,e2GE ( f(el) = {u, vl} A f(e2) = {u, v2} ) ] 
where f is a function mapping from an edge to its vertices. 

2) -i3e G E [ f(e) = {u, v} and u = v ]. 

Definition 8. We use a special name oj to represent all possible non-cyclic paths 
labeled with all possible services in the network topology, oj is treated as a path 
itself. 

The following shows properties of uj paths. 

Definition 9. The following are properties of to. 

1) P U {PI} = P U {w} ijf [initial(Pl) = initial(ui) A terminal(Pl) = 
terminal(ui )] 

where P and PI stands for a set of paths and a path, respectively, and ini- 
tial(Pl) and terminal(Pl) denote initial and terminal vertex of PI, respectively. 

2) P\J P = P\J {PI} if 

2.1) [ initial(Pl) = initial(uj) A terminal(Pl) = v A 

for all paths P2 in T ( (terminal(P2) = v) ^ (P2 € P' ) ) ] 
where T, v and P stand for a network topology, a vertex, and a set of paths, 
respectively. 

2.2) [ initial(Pl) = v A terminal(Pl) = terminal(uj) A 

for all paths P2 in T ( (initial(P2) = v) ^ (P2 € P ) ) ] 

2.3) [ PI = w A for all paths P2 ( P2 in T ^ P2 G P ) ] 

Note that property 1 ) defines the initial and terminal vertices of the to path. 
Property 2) however defines the meaning of the uj path. For example, 2.1) states 
that a path of which its initial is initial(u> ), but its terminal is an ordinary vertex 
V is equivalent to all paths in the network topology ending at v. 

We argue that a generalized firewall rule can be considered as a set of (either 
permitted or prohibited) paths in a network topology, and such paths are defined 
at a particular interface. Since such a set of paths is defined at a particular 
interface, it is called a local set of paths. The following definition shows the 
equivalence between a generalized firewall rule and a local set of paths. 
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Definition 10. Given a network topology T, a local set of paths which corre- 
sponds to a generalized firewall rule GEpwinterfaces defined for interface FW 
Interfaces is a set of all non-cyclic paths in T which 

a) begin with Source vertex, 

b) end at Destination vertex, 

c) pass through FW Interfaces vertices in the specified Direction, and 

d) are labeled with Service, 

where Source, Destination, Service, Direction, FW Interfaces are those stated 
in GRp\yj,riterfaces’ 

The following defines precisely paths that begin with Source vertex, end at 
Destination vertex, and pass through FW Interfaces vertices in the specified 
Direction. 

Definition 11. A path that begins with Source (S) vertex, ends at Destination 
(D) vertex, and passes through FW Interfaces vertices in the specified Direction 
is the path P that satisfies the following: 

a) S (D) is a specific IP address (ip) iff initial(P) = ip (terminal(P) = ip, resp.). 

b) S (D) is a set (gip) of IP addresses iff 

initial(P) = sip (terminal(P) = sip, resp.), where sip C gip. 

c) S (D) is “any” iff initial) P) = initial(uj) (terminal(P) = terminalfco ) , resp.). 

d) Direction = inbound iff3F € FW-Objects 3i. 1 < i < n 

[ verteXi(P) C FW Interfaces A FW Interfaces C Interfaces- of (F) A 
vertex (i-i)(P) Interfaces- of (F) ] 

where n is the length of path P, and vertexi(Pl) means i-th vertex in path PI. 

e) Direction = both iff [ initial) P) = initial(uj) A terminal(P) = terminal(uj) A 

3F G FW.Objects ( FW Interfaces C Interfaces- of (F) ) ] 

Intuitively, a path that satisfies d) must be a path that travels to the desig- 
nated FW Interfaces of a firewall from a vertex which is not in FW Interfaces of 
the same firewall. The definition of the outbound direction is omitted here due 
to space limit, but it is similar to that for the inbound direction. 

As a matter of notations, we use a single IP address to represent the set of 
the single IP address. 

Example 2. The local set of paths that corresponds to rule (ipl5, ip9, ftp, in- 
bound, permit, ipl) is {<ipl5, ipl, ip), ip5, ip6, ip9>). Note that this path 
exists due to definition 7. Moreover, the local set of paths that corresponds to 
rule ){ip9, iplO}, any, http, inbound, permit, ip6) is {<ip9, ip6, terminal(uj)>, 
<iplO, ip6, terminal)^! )> , <{ip9, iplO}, ip6, terminal(uj )> }. In addition, the 
local set of paths that corresponds to rule (any, any, http, inbound, permit, ip6) 
is {<initial(uj ) , ip6, terminal(uj)>}. 

Definition 12. Paths that correspond to a generalized firewall rule obtained 
from Firewall- 1 firewall rules are undirected. 

Note that the undirected paths of Firewall-1 mean two-way communications 
between Source and Destination parties, initiated by Source and responded by 
Destination. 
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The set operations on paths can be simplified to corresponding set operations 
on vertices in those paths. Such simplification is useful for the verification of 
firewall rules. 

Definition 13. Path expressions can he reduced to vertex expressions as follows: 

1) PI op P2 = PS if 

a) paths PI, P2 and PS are of the same length (i.e. n). 
h) there is at most one vertex i such that verteXi(Pl) ^ verteXi(P2) and 
'^j ^ i- 1 < j < n [ vertex j (PI) = vertex j(P2) ] 
c) path PS is exactly like path PI (or P2), except that vertexi(PS) = 
verteXi(Pl) op verteXi(P2), where op is a set operation (e.g. U or -). 

2) P U {PI} =Pif3i [verteXi(Pl) = 9 ], where P is a set of paths, and PI is 
a path. 

Example S. Suppose that path PI = {<all, ipl, ip), ip5, ip6, ip9>}, path P2 
= [<ipl7, ipl, ip), ip5, ip6, ip9>} and path PS = {<iplS, ipl, ip), ip5, ip6, 
ip9>}. Thus {PI U P2) - PS = {<all - {iplS}, ipl, ip), ip5, ip6, ip9> }. 

Since there may be many rules activating at an interface, we need to process 
those rules in order to obtain actual effects of those rules at the interface. A set 
of effective paths at an interface is used to represent the actual effects at the 
interface, and it is defined as follows. 

Definition 14. A local set of effective and permitted (prohibited) paths at in- 
terface fw-i for which an ordered set SGRfw-i of generalized firewall rules is 
specified, is defined by Pn that satisfies the following two conditions: 

a) \/i. 0 < i < n [ rule has LPn-i as the local set of paths 

— >■ ( Pi+i = Pi - LPn-i O GR^~f^ is a drop (permit, resp.) rule ) V 
( Pi+i = Pi U LPn-i ^ is a permit (drop, resp.) rule ) ] 

b) Pn is minimal in that there is no P'n that satisfies a) and P'„ C 
where 

- n is the number of rules in SGRf^-i, 

j is the j-th generalized firewall rule in SGRfw-i, defined at fw-i, 

- Pq is simply 0 . 

Note that in condition b), P'n that satisfies condition a) means that such 
P'n is obtained from the same set expressions as P„, according to condition a). 

There might be several possible sets of paths that satisfy oj in this definition. 
By requiring the minimality of the resultant set of effective paths, we can ensure 
that a set of effective paths must be the one that consists of paths which have 
been simplified from path expressions to vertex expressions by definition 13 as 
much as possible. It should be noted that if the subtraction on sets is evaluated 
correctly, the resultant set would be smaller than that which would have been 
obtained incorrectly. 

Example ). The followings are examples of local sets of effective paths: 
a) Suppose (ordered set) SGRips = {(ip9, any, http, inbound, drop, ip6), ({ip9, 
iplO}, any, http, inbound, permit, ip6)}. The local set of effective and permitted 
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paths at interface ip6 is {<iplO, ip6, terminal (uj)>}. Note that this set satisfies 
the minimal requirement in b). 

b) Suppose SGRips = {(ip9, any, http, inbound, drop, ip6), (any, any, http, 
inbound, permit, ip 6)}. The local set of effective and permitted paths is 
{<initial(uj)-ip9, ip6, terminal(uj )>} . 

Intuitively, definition 14 can be seen as a transformation from an ordered set 
of firewall rules to nested expressions of set operations on paths. The concept 
that an upper rule takes precedence over a lower rule is still preserved in nested 
expressions. Further discussion on definition 14 can be found in [3]. 

The following shows the definition to compute a global set of effective and 
permitted paths from every local set of effective and permitted paths. Intuitively, 
a global set of effective paths stands for paths that are effective at all firewall 
interfaces through which the paths visit. 

Definition 15. The global set of effective and permitted (prohibited) paths is 
GEP that satisfies the following: 

VP[P G GEP GG Pi LEPi\ 

i^fw — interface(P) 



where 

- LEPi is a local set of effective and permitted (prohibited, resp.) paths at inter- 
face i, and 

- fw-interface(P) denotes a set of vertices in path P, which are interfaces to some 
firewalls. 

4 Verification of Firewall Configurations 

Before we discuss the verification of firewall configurations, we need to discuss 
the concept of information flows, first. 

Definition 16. An information flow can be represented by either a path or a 
triple (source, destination, service). 

The triple represents end-to-end information flow which is regardless of paths 
between the two ends. For simplicity here, we shall focus on the information flow 
represented by paths, called path-based information flows. 

4.1 Correctness of Firewall Rules 

This kind of reasoning aims to test that effects of a set of firewall rules are those 
that are intended by a firewall administrator. Initially, a firewall administrator 
must define a set of intended information flow, and then calculated effects of 
firewall rules will be compared with the set of intended information flows. 

Definition 17. An intended information flow is tuple (PIE, NIF) where PIE 
and NIF are two finite sets which represent positive and negative information 
flows, respectively, for each service. 
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Intuitively, positive and negative information flows represent permitted and 
prohibited information flows, respectively. Moreover, an intended information 
flow can also be defined for a particular service. 

Definition 18. The intended information flow has the following properties: 

a) PIFU NIF^ 0 
h) PIF n NIF = 0 

We argue that our definition for intended information flows is adequate for 
its purpose since it can easily capture the correctness of firewall configurations 
in the context of many kinds of policies. Intuitively, those kinds of policy offer 
different ways to characterize the global set of effective and permitted paths. 

The following shows the definition of the correctness in the context of closed, 
open, openly neutral and closely neutral policies. 

Definition 19. Given an intended information flow (PIF, NIF), a set of gen- 
eralized firewall rules is correct in the context of 

a) closed policy iff PIF = GEP 

b) open policy iff ^3 F G NIF [ F € GEP ], and 

yP G AllElows(T) [ E^ NIF F G GEP ] 

c) openly neutral policy iff (PIF C GEP) , and ~13P G NIF [ F G GEP ] 

d) closely neutral policy iff (GEP C PIP), and ~^3F G NIP [ F G GEP ] 
where GEP is the global set of effective and permitted paths generated from 

the generalized firewall rules, and AllPlows(T) denotes the set of all possible 
flows in network topology T. 

Intuitively, the closed policy states that PIF is exactly the only set of flows 
globally permitted. On the other hand, the open policy states that what is not 
in NIF is globally permitted. The neutral policies however do not state what 
globally permitted flows (GEP) exactly consist of, but it requires that NIP must 
not be globally permitted. In particular, the openly neutral policy states that 
GEP can be any superset of PIF. On the other hand, the closely neutral policy 
states that GEP can be just any subset of PIF. 



4.2 Ineffective Firewall Rules 

Our model can reason about rules that produce no effects. We call those rules 
ineffective. 

Definition 20. Given a set SGR of generalized firewall rules at an interface, 
rule GR in SGR is ineffective if and only if GEP = GEP' where GEP and GEP' 
are the global sets of effective and permitted paths generated from SGR, and 
(SGR - GR), respectively. 

Example 5. Rule (ip9, ip7, http, outbound, permit, ip)) is ineffective since all 
the paths from ip 9 to ip7 visit ip) in the inbound direction according to the 
network topology. 
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5 Synthesis of Firewall Rules 

The synthesis methodology takes intended information flows as input, and pro- 
duces an ordered set of generalized firewall rules that satisfies the intended in- 
formation flows. In other words, such set of generalized firewall rules obtained is 
correct with respect to those intended information flows. 

Before we discuss the synthesis methodology, we need to understand some 
notations. 

Definition 21. We use LEPf and LEP~ to represent local sets of effective and 
permitted (and prohibited, respectively) paths at interface i. 

Definition 22. The local sets of effective and permitted (and prohibited) paths 
have the following properties: 

a) Por any interface i, LEPf U LEP~ = {co}. 

b) Eor any interface i, LEPf fl LEP~ = 0. 

Proposition 1. Eor any interface i, LEPf = ({uj} - LEP~ ) 

It should be noted that an intended information flow {PIE, NIE) can be 
considered as two global sets of effective and permitted (and prohibited, respec- 
tively) paths. The following shows the definition for the synthesis of firewall 
configurations in the context of many policies. 

Definition 23. Given an intended information flow (PIE, NIE) defined for a 
particular service, the synthesis of a set of generalized firewall rules consists of 
the following two steps: 

1) Decompose two global sets of effective paths (PIE, NIE) into local sets of 
effective paths (PIE i, NIE i) at firewall interface i, by using definition 15. 

2) Generate an ordered set SGRj of generalized firewall rules defined for firewall 
interface j from local set (LS) of effective paths, obtained from 1), at the interface 
j by using definition 1), and the following: 

2.1) Eor the closed policy, LS is LEPJ = ({uj} - PIE j). 

2.2) Eor the open policy, LS is LEP^ = ({uj} - NIP ff. 

2.3) Por the openly neutral policy. 

If PIP, 0, 

then LS is LEP+ = (PIP, U PIE, ) - NIE,, where PIE, C {to}, 
else LS is LEPJ = {w} - PIP” , where PIP” C {w} - NIP,. 

2 . 4 ) Eor the closely neutral policy. 

If PIP, 0, 

then LS is LEP+ = PIP] - NIP, where PIE, C PIP, and PIE, 0 
else LS is LEPJ = {w} 

Example 6. Suppose that PIE = {<ip7, ip2, ip), ip5, ip6, ip9>}, and its service 
label is http. Suppose we want to generate a set of firewall rules that implement 
the closed policy. Thus, it follows from step 1) that PIP = PIP ip 2 = PIE = 
PIFips = PIFipe. Let consider only PIFipg. By 2.1), LEPf^g = {w} - PlPipg. 
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Since this local set of effective paths is for prohibited paths, it follows from 
definition 14 that a rule defined for ip6 that corresponds to PIF ipg is (ip7, ip9, 
http, outbound, permit, ip6). As a result, SGRipg = { (ip7, ip9, http, outbound, 
permit, ip6), (any, any, http, both, drop, ip6) }. 

Definition 24. The following are required desirable properties of a set SGR of 
generalized firewall rules that is obtained from our synthesis methodology. 

1 ) Finiteness : SGR must be finite. 

2) Effectiveness : SGR must be free of any ineffective rules. 

3) Minimal : SGR must be minimal in that there is no other set SGR' of gen- 
eralized firewall rules such that GEP = GEF" and \SGR'\ < \SGR\ where GEP 
and GEP' are global sets of effective paths generated from SGR and SGR' , resp. 

6 The Correctness of the Verification and Synthesis 

The conformance testing technique [5] is employed here to ensure that the model 
presented in this paper for verification is correct with respect to actual firewall 
products. Conformance testing is a general technique to ensure that a specifica- 
tion corresponds to an actual implementation. 

Similar to the conformance testing done in [3] for Cisco routers, the con- 
formance testing here is carried out by constructing test data and comparing 
the outputs obtained from our model with those from the actual Firewall- 1 fire- 
wall. The result obtained shows that the model for verification presented here is 
correct with respect to the Firewall-1 firewall. 

We prove the correctness of the synthesis in the following. Due to space limit, 
we omit the proof details here. 

Theorem 1. A set SGR of generalized firewall rules that is generated by our 
synthesis methodology produces the global set GEP of effective paths that satisfies 
the correctness property for each kind of policy. 

7 Related Works 

Firmato [6] offers a synthesis methodology for firewall rules. It offers the use 
of role-based policy for specifying intended information flows. Such role-based 
policy is a high-level policy. However, Firmato deals only with the synthesis in the 
context of closed policy. Furthermore, it does not analyze any desirable properties 
of synthesized firewall rules at all. It would be interesting to incorporate the use 
of role-based policy to specify intended information flows into our framework. 

Filtering postures [7] offers both verification and synthesis of firewall rules. 
However, the kind of firewall rules that are verified or synthesized is order- 
insensitive, and thus those rules are very different from actual firewall rules. As 
a result, it does not offer any understanding on the effect of rule ordering, unlike 
our approach. Furthermore, the only verification offered by filtering postures 
is identical to the correctness in the context of closely neutral policy in our 
approach. It does not analyze about properties of synthesized firewall rules. 




A Unified Methodology for Verification and Synthesis 339 



Fang [8] is a software tool which aims to verify firewall rules. The main 
verification that Fang offers is the generation of final effects of firewall rules. 
However, Fang’s approach is ad hoc in that it simply simulate the final effects 
of firewall rules without giving any explanation of the effects of ordered rules. 

8 Conclusion 

We have presented a general and unified methodology for verifying and synthe- 
sizing firewall configurations. Our methodology has several benefits in that it can 
analyze the correctness of firewall configurations and also generate configurations 
in the context of many kinds of policies. 

We have applied our verification methodology to case studies in [9]. We are 
currently implementing a software prototype of our model. Also, we are applying 
our synthesis methodology to case studies. 
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Abstract. Network Denial of Service (DoS) attacks are increasing in 
frequency, severity and sophistication, making it desirable to measure 
the resilience of systems to DoS attacks. In this paper, we propose a 
simulation-based methodology and apply it to attacks on object location 
services such as DNS. Our results allow us to contrast the DoS resilience 
of three distinct architectures for object location. 



1 Introduction 

Today’s exponential growth in storage, bandwidth, and computational resources 
has fundamentally changed the way that applications are constructed. A single 
networked computer can now access vast distributed databases, execute pro- 
grams on remote supercomputers, and communicate with billions of other de- 
vices. Opportunities are limited only by the imagination. 

Unfortunately, with networking comes the potential for Denial of Service 
(DoS) attacks, where a DoS attack is any malicious action that reduces the 
availability of a resource to one or more users. From 1989-1995 the number of 
DoS attacks increased 50% per year [13]. Additionally, a 1999 CSI/FBI survey 
reported that 32% of respondents detected DoS attacks directed at their sys- 
tems [15]. More recently, Yankee Group, an Internet research firm, estimated 
that DoS attacks cost $1.2 billion in lost revenues in 2000 [9]. Given the prolif- 
eration of DoS attacks, many mission-critical applications claim DoS resilience. 
To test these claims, there is a desire for a general methodology to measure the 
resilience of a system or service to network DoS attacks. 

As the first step towards this ambitious goal, we explore DoS resilience in an 
important component of many networked applications: the object location ser- 
vice (OLS). Object location services map abstract names to physical locations; 
a well-known example is the Domain Name Service (DNS). In addition to ad- 
ministrative convenience, the presence of an object location service permits the 
system to create copies of objects close to where they are needed, thereby maxi- 
mizing locality, availability and reliability. Given its central importance to many 
applications, the object location service is a natural target for DoS attacks. 

We explore three architectures for object location services: a centralized di- 
rectory, a replicated directory, and a distributed directory. We subject a realistic 
simulation of these services to two classes of denial of service attacks, namely 
flooding attacks andcorruption attacks. We then contrast the DoS resilience of 
these architectures and conclude with some thoughts about methodology. 



S. Qing, T. Okamoto, and J. Zhou (Eds.): ICICS 2001, LNCS 2229, pp. 340—351, 2001. 
(c) Springer- Verlag Berlin Heidelberg 2001 
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Fig. 1. A Centralized Directory 
Service (CDS): Clients contact 
a single directory to discover 
the location of a close replica. 
Clients subsequently contact the 
replica directly. A Replicated 
Directory Service (RDS) pro- 
vides multiple directories. 



Fig. 2. A Distributed Directory (Tapestry): Nodes 
connected via links (solid arrows). Nodes route to 
nodes one digit at a time: e.g. 1010 — >■ 2218 — >■ 
9098 — ^ 7598 — ^ 4598. Objects are associated with 
one particular “root” node (e.g. 4598). Servers pub- 
lish replicas by sending messages toward root, leav- 
ing back-pointers (dotted arrows). Clients route di- 
rectly to replicas by sending messages toward root 
until encountering pointer (e.g. 0325 — >■ B4F8 — >■ 
4432). 



2 Architectures for Object Location 

Networked applications are extending their reach to a variety of devices and 
services over the Internet. Applications expanding to leverage these network 
resources find that locating objects on the wide-area is an important prob- 
lem. Further, the read-mostly model of shared access, widely popularized by 
the World- Wide- Web, has led to extensive object replication, compounding the 
problem of object location. Work on location services has been done in a vari- 
ety of contexts [8,12,14,27]. These approaches can be roughly categorized into 
three groups: Centralized Directory Services (CDS), Replicated Directory Ser- 
vices (RDS), and Distributed Directory Services (DDS). 

2.1 Centralized and Replicated Directory Services 

A centralized directory service (CDS) resides on a single server and provides 
location information for every object on the network. See Figure 1. Because it 
resides on a single server, it is extremely vulnerable to DoS attacks. A variant of 
this is the replicated directory service (RDS) which provides multiple directory 
servers. An RDS provides higher availability, but suffers consistency overhead. 

2.2 Distributed Directory Services: The Tapestry Infrastructure 

Networking researchers have begun to explore decentralized location services [27, 
21,24]. Such services offer a distributed infrastructure for locating objects 
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quickly, with guaranteed success and locality. Rather than depending on a single 
server to locate an object, a query in this model is passed around the network 
until it reaches a node that knows the location of the requested object. The lack 
of a single target in decentralized location services means they provide very high 
availability even under attack; the effects of successfully attacking and disabling 
a set of nodes is limited to a small set of objects. 

We chose Tapestry [27] as our example of this type of service. Tapestry is an 
IP overlay network that uses a distributed, fault-tolerant architecture to track 
the location of every object in the network. Tapestry has two components: a 
routing mesh and a distributed directory service. 

Tapestry Routing Mesh: Figure 2 shows a portion of Tapestry. Each Tapestry 
node has a unique hexadecimal address drawn from a random distribution. 
Tapestry nodes are connected via neighbor links of varying levels; these are 
shown as solid arrows. The level-1 links (LI) from a node connect to the 16 
closest, nodes^ with different values in the lowest digit of the address. Level-2 
links (L2) connect to the 16 closest nodes that match in the lowest digit and 
have different second digits, etc.. Such neighbor links provide a route from every 
node to every other node; the routing process resolves the destination address 
one digit at a time. This routing scheme is based on the hashed-suffix routing 
structure originally presented by Plaxton, Rajaraman, and Richa [19]. 

Tapestry Distributed Directory Service: Tapestry assigns a globally- 
unique name (GUID) to every object. It then deterministically maps each GUID 
to a unique root node. Storage servers publish objects by sending messages to- 
ward the roots, depositing location pointers at each hop. Figure 2 shows two 
replicas and the Tapestry root for an object. Location pointers are shown as dot- 
ted arrows that point back to replica servers. To locate an object, a client sends 
a message toward the object’s root. When the message encounters a pointer, 
it routes directly to the object. It is shown in [19] that the average distance 
traveled in locating an object is proportional to the distance from that object. 

The root of the tree must know where one or more replicas of the object reside 
in order to guarantee that replicas can be located. This makes it an obvious target 
for a DoS attack. We will exploit this vulnerability later^. 

3 Assessing the Risk 

DoS attacks are difficult to analyze because they are system-wide phenomena. 
Viewing components or attackers in isolation often fails to expose interesting 
behavior. As a consequence, we choose to observe a simulation of a complete 
system, including realistic network topology, client workloads, server architec- 
ture, and attack profiles. Section 4 will describe the simulation environment in 
detail. Here we wish to understand the types of attacks that might be mounted 
against object location services and how we can assess their impact. 

^ “Closest” with respect to network latency. 

^ The Tapestry infrastructure in [27] employs multiple roots; we did not simulate this. 
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Fig. 3. Structure of a distributed DDoS attacks 



3.1 Threat Models 

Denial of Service attacks come in many shapes and sizes. In fact, the CERT 
Coordination Center [6] has proposed the following taxonomy: 

— Consumption of network connectivity and/or bandwidth 

— Consumption of other resources, i.e. CPU cycles or kernel data structures 

— Destruction or alteration of configuration information 

— Physical destruction or alteration of network components 

Specializing this set for object location services, we identify two general classes 
of attack: Flooding Attacks and Corruption Attacks: 



Flooding Attacks: The most popular network DoS attack is the flooding at- 
tack, in which the attacker sends superfluous requests at a high rate. Flooding 
attacks overload the victim’s resources (such as queues and CPU), and also 
swamp the local routers, gateways and links. These DoS attacks can be clas- 
sified as point-to-point or distributed. There are four major point-to-point DoS 
attacks: TCP SYN flooding, UDP flooding, ICMP flooding and Smurf attacks 
[ 10 ]. 

Distributed Dos (DDoS) attacks combine point-to-point DoS attacks with 
distributed and coordinated control. Figure 3 shows the structure of a DDoS 
attack, with one or more attackers controlling handlers, with each handler con- 
trolling multiple agents^. Handlers and agents are extra layers introduced to 
increase the rate of packet traffic as well as hide the attackers from view. Each 
agent can choose the size and type of packets as well as the duration of flood- 
ing. While the victim may be able to identify some agents and have them taken 
off-line, the attacker can monitor the effects of the attack and create new agents 
accordingly [10]. In general, attack simulation parameters should be chosen to 
cover a sufficient spectrum of attack traffic versus legitimate traffic to show in- 
teresting results. 

® Compromised hosts responsible for generating packet streams directed at the victim. 
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Corruption Attacks: When an attacker corrupts or destroys information, we 
call this a corruption attack. There are numerous variants on this type of attack. 
For instance an attacker might alter configuration information to prevent the use 
of a computer or network. Or, an attacker might corrupt routing tables, causing 
victim nodes to redirect traffic toward the attacker, which would subsequently 
drop or deny requests. It is not possible to test all attacks, so typical examples 
of this category should be simulated and measured. 

3.2 Measuring Resilience 

DoS attacks reduce resource availability. Here, availability refers to a spectrum 
of service quality, not simply “up” versus “down”. Though the choice of Qual- 
ity of Service (QoS) metrics depends on the system or service being studied. 
Brown and Patterson have suggested performance, completeness, accuracy and 
capacity as starting points [4]. For our particular study, we consider metrics of 
response latency, request throughput, and time to recover"^. We examine the level 
degradation of a service under attack to assess the resilience of that service. 

Of course. Denial of Service is multidimensional in that system A may be 
more resilient than system B for one type of attack but less resilient for an- 
other. Usually, the particular threat-model under consideration defines a set of 
dimensions, one for each class of threat. Combining these dimensions to yield a 
particular resilience ranking is a very system-specific task and hard to general- 
ize. Our solution is to be sufficiently specific in the definition of the threat model 
and only quantify the resilience in that model. 

4 Experimental Setup 

We built a complete system on top of ns [3]. All of our nodes function as both 
clients and hosts with a subset providing the directory service. Clients send 
lookup requests to the directory service, which either returns the location of a 
replica or forwards the request directly to the replica. We selected some nodes 
to be attackers and measured changes in the availability of system resources. 

We used 1000 node network topologies generated by GT-ITM [26] using a 
transit-stub model. We then extended these topologies with common network 
bandwidths as recommended in [16]. Our routers use simple drop-tail queuing 
(we assumed attackers will spoof their IP addresses, defeating any filtering done 
by more complicated queuing policies). More details are in [5]. 

4.1 Client Operation 

We generated synthetic client workloads using both Zipf’s law [1] and hot- 
cold [20] models. Zipf’s law states that if objects are ranked according to their 
access frequency, then the number of requests of the object with rank i is propor- 
tional to 1/z. In a hot-cold model, a small portion of the objects (10%) receive 

* A corrupted directory service could prevent service entirely, but this is beyond the 
scope of the current study. 
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the majority (90%) of the requests. Our network has 500 objects, each with three 
replicas placed on three randomly chosen nodes. The sizes of objects were chosen 
randomly from the interval 5kB - 50kB. Nodes request a data object, wait for 
the data and then request another, such as when a user is following a series of 
web links. 



4.2 Directory Server Operation 

We used five different directory services in our simulations: 

CDSr. The simplest directory service is the Centralized Directory Server{CDS). 
Here, one non-transit node is chosen to be the directory server. Object re- 
quests are made in two stages. First, the directory server is queried and 
returns the location of a random replica of the object. Second, the request- 
ing node communicates directly with the node hosting the replica and the 
data is returned. 

CDSo. Same as above, except that the directory server returns the location of 
the replica which is closest to the requesting node. 

RDSr. The Replicated Directory Service(RDS) is placed on four random, 
widely-distributed, non-transit nodes. Queries are made as above, except 
that a node must choose one of the servers to fulfill its request. Here, the 
choice is made randomly for each request. The replica is also randomly cho- 
sen by the directory server as in the CDSr. 

RDSo. Same as the RDSr, except that each node sends requests to the nearest 
directory server. (Replica choice is still random). 

DDS. For the DDS, we implemented a simplified version of Tapestry as an 
extension to ns. All messages between nodes are passed by ns’s full TCP/IP 
agent. Messages route through the object’s tree to the statistically closest 
object replica, and the replica responds by sending the data contents directly 
to the requesting node. Our Tapestry data structures are statically built 
at the start of the simulation using full knowledge of the topology, and 
using hop count as the network distance metric. It should also be noted 
that our implementation is un-optimized and is likely slower than a real 
implementation would be. 

4.3 The Attacks 

We modeled two types of attacks in our simulations: 



Flooding Attacks. The first attacks we simulated flood some important 
node(s) and overload their queues to reduce the number of legitimate requests 
that get through. We randomly designated some nodes “agents”; the agents then 
stream a constant bit rate at the victim. We varied the number of agents as well 
as the severity (bit rate) of flooding. The life time of each agent was randomly 
chosen from 0 - 200 seconds with new agents immediately replacing those taken 
off-line. 
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For the CDS and RDS, we attacked the directory server(s). We attacked the 
closest analogy in Tapestry, the root of a hot object. For comparison with the 
CDS (RDS), we flood the root of one (four) hot object (s), keeping the number 
of attacked nodes the same. 



Corruption Attacks. As these attacks are system/service-speciflc, we only 
simulated two attacks here as examples. 

The first attack forces an important node to believe there is a link with 
negligible latency between the nodes which are actually the farthest apart. We 
attack the directory server of the CDS, a random directory server of the RDS 
and the Tapestry root node of a hot object for comparison. 

The second attack is specific to Tapestry; a malicious Tapestry node claims to 
be the root node of all objects. By replying with a negative result to any request 
it receives, this node can potentially convince clients that requested objects do 
not exist, denying them access to an existing resource. The question we ask here 
is “how many nodes are affected?” 



5 Results 

5.1 Flooding Attacks 

We performed simulations of flooding attacks on the CDS, RDS, and Tapestry 
with hot-cold and Zipf’s law workloads. The results were similar for both work- 
loads, so we present only hot-cold results. 



Comparison of CDS and Tapestry: First, we compare the performance of 
CDS with Tapestry. We simulated one attacker at a rate of 500 or 2000 bytes 
every 5 ms or four attackers at rates between 500 bytes every 20ms and 500 bytes 
every 5ms. The results are shown in Figures 4 and 5. These figures reveal that 
a single attacker does not significantly influence performance, while distributed 
attackers, each flooding at the same high rate, cause severe denial of service. 

While a CDS suffers greatly under severe attacks. Tapestry shows some resis- 
tance. This can be explained by the distributed nature of Tapestry. Furthermore, 
Tapestry satisfies many requests before they reach the root: if we observe the 
attacked object exclusively, it retains more than 50% of its normal throughput. 

One interesting observation, as shown by the two rightmost sets of data in 
Figures 4 and 5, is that distributed attackers cause more severe DoS than a 
single attacker, even when injecting the same amount of flood traffic. The reason 
for this is that point-to-point attackers are limited by the bottleneck bandwidth 
from attacker to the victim. 

Figures 6 and 7 show the dynamics of the most severe flooding attacks on 
CDS and Tapestry. The attack(s) start at 40 seconds and end at 110 seconds. 
Given our simulation setup, the time to recover for CDS with both policies is 40 
seconds. As Tapestry is not really affected much, its time to recover is negligible. 
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Fig. 4. Average response latency of CDS Fig. 5. Throughput of CDS vs. Tapestry 
vs. Tapestry under DoS flooding attacks under DoS flooding attacks 




Fig. 6. Dynamics of average response la- Fig. 7. Dynamics of throughput of CDS 
tency of CDS vs. Tapestry under DoS vs. Tapestry under DoS flooding attacks 
flooding attacks 



Comparison of RDS and Tapestry: To explore replicated directory service, 
we put four servers on widely-distributed, non-transit nodes. We investigated 
two policies: either the client contacts a random directory server (RDSr) or the 
closest one (RDSo). We did not simulate consistency traffic between directories. 

Again, the single flooding attack has little effect, so we only present results of 
DDoS attacks in Figure 8 and 9. We randomly selected four non-transit nodes as 
attackers. Each of these nodes attacks a directory server in a different subnet or 
the DDS root of a hot object; these attacks have little effect. We also randomly 
selected sixteen non-transit attack agents in groups of four, each from different 
subnets. Each group attacked one RDS directory server or the DDS root of a 
hot object. The attack rate varied from 500 bytes every 10ms to 500 bytes every 
1ms, with each agent set to the same rate. 

Both forms of RDS and Tapestry are far more resilient to DoS than CDS 
(observe the difference in flooding rates along the X-axes). Thus, replication and 
topology-aware locality can significantly increase resilience to DoS attacks. In 
our simulations, the optimal RDS always performs better than Tapestry. This 
is because Tapestry may be forced to make traverse bottleneck links multiple 
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Fig. 8. Average response latency of RDS 
vs. Tapestry on DDos flooding attacks 



Fig. 9. Throughput of RDS vs. Tapestry 
on DDos flooding attacks 




Fig. 10. Nodes accessing each replica of an attacked object. Neighbor table corruption 
at the black square node renders all nodes enclosed by round-corner rectangles unable 
to locate the object. Simulation of 100 nodes and 60 objects (15% hot). 



times, whereas the clients in the same subnet as an RDS directory server can 
avoid the bottlenecks entirely. A more interesting observation, however, is that 
Tapestry comes very close to optimal RDS; as the number of objects and size of 
network increases, the number of replicated directory servers required to compete 
with the self-organizing nature of Tapestry is likely to increase, making Tapestry 
a better overall choice. Meanwhile, Tapestry outperforms the random RDS on 
severe attacks, lending credence to the locality properties of Tapestry. 



5.2 Corruption Attacks 

When we compromised routing information at important nodes, the CDS and 
RDS, which access a random replica, are not affected®. The performance of the 

We assume that the directory server(s) are not routers or gateways. 
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Table 1. Attempting to rank the five different directory services 



Directory services 


Flooding 
attack (80%) 


Corruption 
attack (10%) 


Node spoofing 
attack (10%) 


Total score 


Rank 


CDS, random replica 


0.027 


N/A 


N/A 


0.2216 


4 


CDS, optimal replica 


0.023 


0.85 


N/A 


0.2034 


5 


RDS, random dir server 


0.17 


N/A 


N/A 


0.336 


3 


RDS, optimal dir server 


0.48 


N/A 


N/A 


0.584 


1 


DDS 


0.35 


0.978 


0.76 


0.4538 


2 



CDS which returns the optimal replica was degraded to 85%. The impact to 
Tapestry is negligible, with overall performance reduced by only 2.2%. We also 
simulated the Tapestry-specific node spoofing attack. The effects of the attack 
are displayed in Figure 10. The attack affects 24% of the network. 

5.3 Resiliency Ranking 

How might we combine the results of previous sections into a single ranking? 
As suggested in Section 3, we might assign weights to different types of attacks 
based on perceived severity or frequency. For instance, if we assign 80% weight 
to flooding attacks and 10% each to two “corruption” attacks, we can roughly 
rank the directory services as in Table 1. Here we simulate all eight attacks in 
Figures 4, 5, 8 and 9 for all three types of directory services and report a weighted 
sum of normalized throughputs. The weights are assigned in proportion to the 
amounts of flood traffic and the normalization is based on the corresponding di- 
rectory service performance without attack; this will vary from system to system, 
but does give an idea how these services differ in terms of DoS resilience. 

6 Limitations and Generalizations 

While our study is very specific we feel that some of our methodology can be 
applied in a more general setting. In particular, our approach of simulating a 
complete, well-behaved system and then injecting malicious faults and measuring 
the consequences should be generally applicable. Of course, we only simulated 
static clients, servers, and attackers; one future task will be to incorporate more 
dynamic behavior. We also hope to extend the scope of our simulations to more 
applications. Note that the specifics, from system setup to the threat model, vary 
greatly from system to system. We hope to explore techniques for combining 
results across multiple dimensions, possibly extending the automated approach 
for weight generation suggested by Bayuk [2]. As more attempts are made to 
quantify the DoS resilience of different systems, we hope to more completely 
understand both the nature of DoS attacks and how to measure their impact. 

7 Related Work 

Early work by Gligor and Yu [11,25] built on the classic notion of a trusted 
computing base to define a “DoS Protection Base” . Yu and Gligor also pointed 
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out that denial of service is in fact an attack on resource availability. Millen 
believed that DoS is a problem of improper resource allocation [18], while Mead- 
ows has characterized the susceptibility of network services to DoS attacks on 
resources used before remote host authentication [17]. Some attacks rely on pro- 
tocol weaknesses to consume resources with minimal attacker effort, as in TCP 
SYN flooding [22]; other attacks depend simply on the ability of an attacker to 
produce sufficient traffic to overwhelm a victim by brute force [7]. 

In [22], the authors investigated several approaches to fighting TCP SYN 
attacks and developed a tool which actively monitored the network for suspi- 
cious attack behavior and terminated dangling connections left by the attacker. 
In [23], the authors describe the use of an end-to-end resource accounting in 
the Scout operating system to protect against resource-based DoS attacks. Both 
these works present microbenchmarks testing the effectiveness of the proposed 
countermeasure. Our approach differs partly in that we investigate attacks on 
availability of a service, rather than on a particular server. 

Brown and Patterson [4] investigate the use of fault injection to benchmark 
availability and apply their methodology to software RAID systems. Our work 
is similarly based on injecting faults into a workload and investigating the effect, 
but our faults are malicious in nature. 

8 Conclusions 

In this paper, we explored the resilience of several object location services under 
denial of service attacks. We did this by creating a complete simulation envi- 
ronment, including realistic network topologies, server architectures and client 
behaviors. We then injected malicious attacks into the system and measured the 
availability of the attacked services. Not surprisingly, we discovered that dis- 
tributed organizations are more resilient to DoS attacks than centralized ones. 
Our simulation framework is a first attempt to quantify the network DoS re- 
silience of arbitrary systems and services. 
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Abstract. We present a novel public key encryption scheme semanti- 
cally secure in the standard model under the intractability assumption of 
the subgroup membership problem. We also describe an honest verifier 
zero knowledge proof of knowledge protocol that can be converted into 
a signature scheme in the usual way. 



1 Introduction 

Diffie and Heilman introduced the concept of public key cryptography in their 
landmark paper in 1976 [6]. They showed how to construct a public key cryp- 
tosystem (PKC) using a trapdoor one-way function, i.e. a function that is easy to 
compute but (supposedly) hard to invert without the knowledge of some trap- 
door information. In 1978, Rivest, Shamir and Adelman [15] proposed the first 
concrete example of a PKC, the renowned RSA cryptosystem which has been 
widely used for the last two decades. Other examples have followed since [14,7, 
12,13]. 

In this paper we present a new PKC that can be proven semantically secure 
in the standard model under the intractability of the subgroup membership 
problem [17]. Informally, given a group G, a subgroup H of G and an element 
y G G, the subgroup membership problem entails deciding whether y is an 
element of H. In particular, for p = 2n 1, with n = qoqi, and p, qo, q\ primes, 
we are interested in the instantiation of the subgroup membership problem to the 
case with G = G„ x G„ and H = Gq^ x Gq ^ , where G„, Gg^andG^^ are subgroups 
of Z* of order n, qo and qi respectively. The “one-wayness” of the scheme is 
based on the difficulty of finding the projections of an element of the subgroup 
Gn onto each of the subgroups Ggg and Gq^ . With regard to the efficiency of the 
scheme, both encryption and decryption take two modulo exponentiations, and 
the encryption has an message expansion factor of 2. 

2 Security Notions 

Ideally, the security of a PKC is established by finding a reduction of a well known 
hard problem, such as factoring integers or computing discrete logarithms in a 
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finite group, to breaking the PKC. Firstly, however, a definition of what breaking 
the cryptosystem means is needed. Different definitions are possible which result 
in different notions of security. Initially, a PKC was considered secure if given 
a ciphertext and the public key used in encrypting the corresponding plaintext, 
an attacker cannot compute the plaintext, i.e. security was equivalent to “one- 
wayness” . Such a definition of security is not sufficient for many situations. It, 
for example, does not preclude attacks that recover partial information about 
the plaintext. 

In 1984, Goldwasser and Micali [9] proposed a more practical definition of 
security, semantic security (also known as polynomial indistinguishability) . In- 
formally, under the new definition, a PKC is secure if whatever an attacker can 
obtain about the plaintext from seeing the ciphertext, she can also obtain with- 
out it. In other words, the PKC satisfies semantic security if an attacker does 
not learn anything about the plaintext from observing encryptions. This defini- 
tion excludes deterministic schemes such as plain RSA. Bellare and Rogaway [3] 
proposed OAEP, a scheme to transform any trapdoor one-way permutation such 
as RSA into a semantically secure PKC. The proof of security relies, however, on 
the heuristic of substituting hash functions for random oracles. Schemes that are 
provably semantically secure in the standard model (without assuming random 
oracles) include the ElGamal cryptosystem [7] based on the decisional Diffie- 
Hellman problem [4], Paillier’s scheme [13] using the composite residuosity as- 
sumption, and Okamoto-Uchiyama’s cryptosystem [12] based on factoring. 

The scheme presented in this paper is proven semantically secure in the 
standard model on the assumption that a certain number theoretic problem, 
viz. the subgroup membership problem, is hard. This problem is connected to 
the integer factorisation problem in that it is certainly not harder. We note that 
previous cryptosystems relying on the factorisation problem for security seem 
to either use the random oracle model (such as OAEP) or require a modulus of 
special form (such as Okamoto-Uchiyama) . 

3 Preliminaries 

Before we describe the new public key cryptosystem (PKC), we review some 
basic algebraic and number theoretic results that will allow us to discuss its 
security in section 5. 

Firstly, let’s consider the multiplicative group with p = 2n + l , n = qoqi 
and where p, qo, qi are distinct primes. Let k = \qQ\ = |gi|, the size of the binary 
representation of both go and qi. We denote the subgroups of of order go, 
gi and n by Gq^, Gq^ and G„, respectively. All operations are assumed modp 
except where explicitly noted. 

Fact 1. For every element y G G„ there exist a unique pair {yo, yi) G Gq„ x Gq^ 
such that y = yoVi mod p 

Since Fact 1 forms the basis of the new PKC, we will elaborate on it. Firstly, 
we note that Fact 1 is a direct consequence of Gq^ fl Gq^ = {!}. Thus, a simple 
counting argument shows that no two elements of Gq^ x Gg^ represent the 
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same element in G„. One can also see the workings of the Chinese remainder 
theorem (CRT) here. If go and gi are generators of Gq^ and respectively, 
then g = gogi is a generator of G„, and any element y G G„ can be expressed 
as y = g^ , where x G ^n- Thus, we can write 

X Xn Xi 

y = 9 = 9o 9i , 



where 



X = Xq (mod <7o) 

X = xi (mod gi). 

We know by virtue of the CRT that such a system of equations has a unique 
solution, namely 

X = xoao + xiai mod n, 



where 



«o = 9i(9i ^ mod go) 
cti = go(%^ mod gi). 



The following properties will be useful later on: 

Fact 2. Properties of ao and ai 

1. ao + a\ = l (mod n). 

2. aoUi = 0 (mod n). 

3. = ai (mod n), for i = 0, 1 and for all k > 0. 

To see that the third property holds, notice that 

ai^ mod n = (1 — a\-i)^~^ ai mod n 

= (1 — pol(ai-i) ai-i) ai mod n 

where pol{-) is a polynomial of degree k — 2. 

It is not difficult to see that Gn and Gg^ x Gq^ are isomorphic. From Fact 1 
the following mapping is a bijection: 

/ • Gqq X Ggj > Gn 

{yo,yi) ' — 2 / 02/1 mod p. 

Knowledge of the factorisation of p — 1 allows us to compute the inverse of /(•), 
as follows. 



/■' 




Gq„ X Gq^ 

{fo{y),fi{y)), 
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where 



h-.Gn^ Gg, 

y . 

In order to help us visualise the above functions, we can identify the subgroup 
components Gq^ and Gq^ as “coordinate axes” of G„, and think of G„ as a Carte- 
sian plane (see Fig. 1). Thus, any element j/ € G„ has Gqg and G^^ -coordinates 
( 2 / 0 : 2 / 1 ) as given by We are unaware of any efficient (i.e. probabilistic poly- 



G, 



yi 



Gn 



h y 

•• 

/o 



yo 



G„ 



Fig. 1. Projection of 1 / £ G„ onto subgroup components Gqq and Gqj. 



nomial time) algorithm that can compute inverses of /(•) without knowledge of 
the factorisation of p — 1, which is thus the trapdoor information. Based on this, 
we define a new computational problem which we call the Projection Problem. In- 
formally, given y € G„, the projection problem entails finding (j/o, 2/i) G Gq„ xGq.^ 
such that y = yoyi mod p. More formally, let k be the security parameter. Let 
IQ (instance generator) be a probabilistic polynomial time algorithm that on 
input 1* outputs a prime p = 2qoqi + 1 with qg, qi two random fc-bit primes, and 
two subgroup generators go , gi of Gq„ and G^j respectively. 

Definition 1 (Projection Problem VP Assumption). For every probabilis- 
tic polynomial time (in k) algorithm A, for every a > 0 and sufficiently large 
k: 

Pr[A(p,5o,ffi,2/) = (yo,2/i)] < 

where y € G„ and (yo, yi) € Gq„ x Gg^ such that y = yoVi mod p. The probability 
is taken over the random choice of (p,go,9i) ^ IG(^^), the random choice of 
y € Gn, and the random bits used by A. 

As we show below, the complexity of this problem is related to that of the 
better known subgroup membership problem, in that the projection problem is 
not easier. Informally, given a group G, a subgroup H oiG and an element y G G, 
the subgroup membership problem entails deciding whether y is an element of H . 
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In our case we are interested in the instantiation of the subgroup membership 
problem to the case where G = G„ x G„ and H = Gqg x Gq^. We refer the 
reader to Yamamura and Saito’s paper [17] for a more elaborated treatment of 
the subgroup membership problem. 

Definition 2 (Subgroup Membership Problem SM.V Assumption). For 

every probabilistic polynomial time (in k) algorithm A, for every a > 0 and 
sufficiently large k: 

|Pr[A(p,go,ffi,2/) = Hrue”\y G Gq^ x G,J 
-Vv[A{p,go,gi,y) = “true”\y ^ Gq„ x G^Jj < l/fc“, 

where y G Gn x G„. The probability is taken over the random choice of 
{p,go,gi) the random choice of y G Gn x G„, and the random bits 

used by A. 

As pointed out by Yamamura and Saito [17], popular decisional problems such 
as the Decisional Diffie-Hellman [4], or the Quadratic Residuosity [9] problems 
are also examples of the subgroup membership problem. 

In order to compare the complexity of computational problems we use the 
following relation: 

Definition 3. Let X andy be two computational problems. X<-py (X polytime 
reduces to y) if there exists an algorithm that is polynomial time as a function 
of the input length of X, that solves X by making use of an oracle that solves y. 

Lemma 1. SAiV<pW 

Proof. Assume that there exists an efficient algorithm that can find the pro- 
jections of elements of G„, i.e. that on input p, go, gi, and y G Gn outputs 
{yo, yi) G Gqq X Gg^ such that yoVi = y- Then it is straight forward to construct 
another efficient algorithm that given (uo,ui) G Gn x G„ decides if (uo,ui) is 
also in Gq^ x Gq„ , for in such case the projection of Uq onto Gq^ and of Ui onto 
will be both 1. □ 

We can also compare the projection problem with the well known integer fac- 
torisation problem and the discrete logarithm problem. Informally, given a posi- 
tive integer n, the integer factorisation problem ITV entails finding qo,q\, . . . ,qi 
and Co, 6i, . . . , 6/ such that n = rii=i where Pi are pairwise distinct primes 
and each > 1. The discrete log problem 'DCP in a finite group is as follows: 
given two elements g and /i of a group G, find x such that h = g^ mod p. 
Lemma 2. The following relationships hold: 

1. VV<pXTV 

2. VV<pVCP 

Proof. It can be immediately verified that W<pTTV . To see that W<pVCP , 
we notice that if one can compute r = loggj/, where log^ denotes the discrete 
logarithm in base g = gogi, then the projections of y are simply yi = gf . 
Furthermore, if one can compute = logg^i, then the factorisation of p — 1 is 
obtained as qt = gcd{ai,p — 1), which allows us to obtain the projections of any 
other element in G„. □ 
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4 The Scheme 

The PKC consists of three algorithms: key generation, encryption and decryp- 
tion. 



Key Generation. Let k be the security parameter. In order to generate an 
asymmetric key pair each user does as follows. 

1. Choose a random prime p of the form p = 2n + 1 where n = qoQi with qi 
also prime such that \qi\ = k. 

2. Select two elements pi of order qi. Since the user knows the factorisation of 
n she can do this easily. gi is thus a generator of Gq^ . 

3. Compute ai = q\-i{qi^^ mod qi) 

4. The public key of the user is PubKey = {p,goj9i}, and the corresponding 
private key is PriKey = {aQ,ai}. 



Encryption. The following algorithm encrypts a message m € Gn using a 
public key PubKey = {p,go,gi} as generated by the key generation algorithm: 
(see Fig. 2) 

1. Choose two random integers r*, 1 < < n. 

2. Compute Vi = Thus Vi is an element of Gq^ 

3. Compute Ci = mvi-i. 

4. The ciphertext is then c = (co,ci). 

An implementation of the algorithm would also require an encoding function 
from the actual message space to G„. We do not define any such function, for it 
depends on the application. Cramer and Shoup [5] give suitable examples. 



9? 



mi 



51 
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G„ 




; m 












— 9^ 4 • 





1 m-o *50 



Fig. 2. Encryption of m € G„. 
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Decryption. Given a ciphertext c encrypted using PubKey = {p,go,gi}, the 
message m can be recovered using the corresponding private key PriKey = 
{ao,ai} as follows: 

1. Compute rrii = fi{ci) = c“b 

2. Calculate m = momi. 

We can verify that the above equations actually decrypt to the original mes- 
sage m. From Fact 1, m has a unique representation (mo, mi) € Gq^ x Gq^. 
Hence, 



Ci = (momi)ui_i, 

and since (mi_iUi_j) € Gq^_., it will be “filtered out” by fi(-), i.e. 

fi{cmi) = = m* . 

An interesting property in our scheme is that anyone can transform a cipher- 
text c = (co,ci) = (m 5 o’^° 7 m,gi”i) into another ciphertext c' = {c{)go"° ,c\g\"^), 
such that both ciphertexts decrypt to the same plaintext m, while keeping the 
relationship between c and d concealed. This property is shared with Paillier’s 
and Okamoto and Uchiyama’s cryptosystems. 

5 Security of the Scheme 

In this section we show that the new PKC satisfies the “one-wayness” property 
under the assumption that the projection problem is hard. We also prove that 
the scheme is semantically secure under the intractability assumption of the 
subgroup membership problem. 

Theorem 1. The new PKC is one-way if and only if the VP assumption holds. 

Proof. (=1>) Given the capability to calculate the projections of an element of 
G„ into Gq„ and , then the encryption algorithm is trivially broken. 

(<^=) Assume there is an efficient algorithm Ac that breaks the encryption 
algorithm without knowledge of the trapdoor information (go, Qi)- Thus on in- 
put p, go, gi and (co,Ci) G Gn x G„, the breaking algorithm Ac outputs the 
corresponding decryption m G G„, such that Cq = mvi and Ci = mvo with 
(vo,vi) G Gqg X Gq.,^. Then we can construct another efficient algorithm Ap that 
computes the projections (uo,ui) G Gqg x G^j of an element u G G„ as follows: 

(uo,ui) = Ap(p,go,gi,u) 

= (-^c(p, go, gi, u, go), Ac(p, go, gi, u, gi)) 



□ 



Theorem 2. The new PKC is semantically secure if and only if the subgroup 
membership problem assumption holds. 
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Proof. (<i=) Assume that the scheme is not semantically secure. This means that 
there exists an efficient algorithm Ad such that 

AD{p,9o,9i,co,ci,m) = 1 

if c = (co,Ci) is an encryption of m, and 0 otherwise. Then, we can construct 
another algorithm As that solves SAiV, i.e that on input p, 90 , gi, u outputs 1 
if M = (mo,mi) is an element of Gq^ x Gq^ by simply letting 

- 4 s(p, 5 o,ffi,w) = Ad{p,9o,9i^uo,ui, 1 ) . 

(^) Similarly, it can be easily verified that given As, we can construct an 
algorithm Ad that contradicts the semantic security of the scheme by defining 

AD{p, 9 o, 9 i,co,ci,m) = As{p,go,gi, (co,ci)m“^) . 



□ 

We now analyse the efficiency of our scheme. In accordance to our discussion 
in Sect. 3, we assume that the best attacks against our scheme entail either fac- 
toring p — 1 or the ability to take discrete logarithms in G„. Thus, p — 1 should 
be large enough to make finding its factorisation hard, and therefore the same 
moduli length recommendations as for RSA apply (see e.g. [10]). That would 
also ensure that the discrete log problem is hard in both Gq^ and Gq^, since 
IpI ~ koj + kij and [go! = kij- Encryption requires two exponentiations of fixed 
bases po and g\ and two multiplications modulo p. The efficiency of the encryp- 
tion can be increased by choosing the exponents G {1, . . . , 2*} and making 
t < k but large enough so that computing discrete logs is hard. Decryption 
requires two exponentiations to fixed exponents and a multiplication. Optimisa- 
tions that significantly speed up the exponentiations are possible, specially for 
decryption [11]. 

Our scheme is thus comparable to the ElGamal cryptosystem, which has the 
same number of exponentiations for encryption and the same message expan- 
sion factor of 2. Decryption in ElGamal requires only 1 exponentiation. However, 
using simultaneous multiple exponentiation (algorithm 14.88 in [11]), it is pos- 
sible to speed up the decryption of our scheme to the equivalent of 1.3 ElGamal 
decryption exponentiations. 



6 Identification Scheme 

In this section we present a three-pass honest verifier zero knowledge proof of 
knowledge protocol that can be used as an interactive identification protocol. It 
can also be converted into a signature scheme in the usual way to accompany 
the new public key cryptosystem. 

The protocol is run between two entities: a prover P and a verifier V. Let PK 
be the set of all public keys {p, go,gi \ generated by the Key Generation algorithm 
of Sect. 4. Let SK{pk) be the secret key corresponding to pk G PK. For every 
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pk € PK the protocol allows P to prove to V knowledge of the corresponding 
SK{pk) = {ooj C(i} , and hence of the factorisation of p — 1. As before, i takes 
values in {0, 1}. 

Protocol 1. 

1. P chooses a random number r € computes ri = r mod qi, Xi = gl' and 
sends Xi to V. 

2. V picks Si Gfl {0, . . . , 2* — 1}, where t < k = \qi\ is defined to be large enough 
so that guessing Si is hard. V then sends Si to P. 

3. P computes u = rgSo<ao + riSiai mod n and sends it to V. 

4. V checks that Xi = " for t = 0, 1.. 

Theorem 3. Protocol 1 is a proof of knowledge for the relation R = 
{{pk, SK{pk)) : pk G PK}. 

Proof. We use the definition of Bellare and Goldreich [2] . Let P be any prover 
(not necessarily following the protocol), and p{pk) be the probability that P 
convinces V to accept the claim that P knows SK{pk). Let K{pk) represent the 
error probability of V , i.e. the probability that V incorrectly accepts on P’s claim 
on input pk). The above protocol is an interactive proof of knowledge system if 
the following is satisfied: 

1. Completeness If P and V follow the protocol, then the probability that V 
accepts is 1. 

2. Validity For every pk G PK, there exists an expected polynomial time Turing 
machine K {knowledge extractor) having oracle access to P, that outputs 
SK{pk) or a special symbol _L (for failure), such that if p{pk) > n{pk) 

Pr[K{pk', P) = SK{pk)\ > p{pk) — k{pk). 

The completeness of the protocol is straightforward to verify. In what follows, 
we construct a knowledge extractor K that satisfies the validity requirement as 
long as the prover will answer correctly to at least two oracle queries. Oracle 
access means that that K has rewindable black-box access to P. Thus K can 
query P on any input pk and challenges sq,si and obtains the corresponding 
transcripts. Although K has no access to the randomness of P, it can “rewind” 
any protocol runs and reuse the same randomness. In our case, n{pk) > 2~^*, 
i.e. V accepts incorrectly with a probability at least that of guessing s^. 



Knowledge Extractor K 

1. Given pk G PK, compute {xq,xi) = x{pk;P), where x{pk;P) is the first 
message output by P on input pk. 

2. Ghoose (sojSi) at random in the same way as V does. 

3. Gompute u = u{so,si,pk; P), where u{sq, si, pk; P) is the output of P after 
receiving the challenge (so,si). 
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4. If Xi = , fix Si and u and continue to step 5, else output _L and halt. 

5. Rewind P to the state just after step 1. Choose another random pair (^, ^) 
in the same way as V does. 

6. Compute u = u(so, pfc; C*)- 

7. If Xi = 5 “^* , then fix ^ and u, and go to step 8, else output _L and halt. 

8. Solve the following equations for (ao, ai) € 

u = soQo + sifli (mod n) 
u = Joao + ^ai (mod n). 

If no solution is found repeat from step 5. 

9. Calculate r = ao + ai mod n. If r has no inverse modn, then output _L and 
halt. 

10. Compute 

ao = r~^ao mod n 
a\ = r~^a\ mod n. 

11. Output {ao-,ai\ and halt. 

Firstly, let’s verify that when u and u result in V accepting, then the output 
corresponds indeed with SK{pk). u and u result in V accepting if and only if 
the following holds: 

Xi = 9i andxi = 9i ' , 

which, in turn, occurs if and only if 

u = soOo + siOi mod n = sq'^’o^o + siOi mod n 



and 



u = soflo + siOi mod n = soxoao + sixiai mod n, 
where = log^. Xi . It is not difficult to see from Fact 2 that 

r~^ = (roao + riai)~^ mod n = r^^ao + r^^ai mod n 
and that therefore 



r ^Oi mod n = (tq ^ao + ^aijXiUi mod n = at . 

To prove validity, we further have to establish the probability that u and u 
occur such that K outputs SK{pk). Given a fixed u for which V accepts, this 
probability will be inversely proportional to the acceptance probability of V as 
long as P gives an accepting response to at least one other query. We can use 
an identical proof to that used in examples of Bellare and Goldreich [2] for this. 
Alternatively P only gives an accepting response to one query for this u. In 
this case the knowledge error function is equal to the acceptance probability of 
2 “^*. □ 
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Theorem 4. Protocol 1 is honest verifier zero-knowledge. 

Proof. To prove Protocol 1 is honest verifier zero-knowledge we show that there 
exists a simulator S that on input pk G PK produces conversations that are 
indistinguishable from real conversations between a prover and verifier following 
Protocol 1 faithfully on input pk. 



Simulator 

1. Choose a random number u G ^n- 

2. Choose random Si G {0, . . . , 2* — 1}. 

3 Cnmniitp t — 

O. LI L j i, 

4. Output (xo, ici; So : Si ; m) 

Notice that since 2* < qi, there always exist s~^ mod n. It is not difficult to 
verify that the distribution < (xq, xi; sq, si; m) > output by S is identical to the 
distribution of the conversations between an honest prover and honest verifier 
following Protocol 1. □ 

Protocol 1 can be used as an identification protocol in the same way as for 
example Schnorr’s identification scheme [16]. A user P wanting to authenticate 
to another party V, uses Protocol 1 to convince V that he knows the secret 
corresponding to a public key pk G PK. The public key needs to be bound to 
the identity of P using some external procedure, such as certification by a trusted 
third party. Furthermore, Protocol 1 can be turned into a signature scheme, also 
in the same way that Schnorr’s identification scheme is converted into a signature 
scheme by substituting the random challenges for Si = "H(xi, m) G {0, . . . , 2* — 1}, 
for example, where "H is an appropriate one-way hash function (see [16]). 

7 Conclusion 

We have presented a new public key cryptosystem and associated identification 
scheme based on the subgroup membership problem. We have proven that the 
cryptosystem provides semantic security in the standard model while the iden- 
tification scheme is an honest verifier zero knowledge proof of knowledge. These 
schemes therefore add to the growing toolkit of provable security primitives that 
can be used by the protocol designer looking to build complex secure systems 
with a sound basis. 

Further scrutiny of the subgroup membership problem, on which security of 
the cryptosystem is based, will enable greater confidence in its intractability. At 
the same time it may be fruitful to explore the possibilities of using the new 
schemes in various applications. 

We have not yet investigated the suitability of the new PKC to achieve the 
stronger notion of chosen ciphertext security (see [1] for example). We note, how- 
ever, that in the random oracle model we can obtain chosen ciphertext security 
by applying, for instance, the generic scheme of Fujisaki and Okamoto [8] at 
practically no computational extra cost. 
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Abstract. We propose a new network security model for secure infor- 
mation flow on multilevel secure network by defining simple security flow 
concepts. The proposed network security model enables the network to 
withstand the cascade vulnerability. Therefore, the proposed security 
model is secure against the potential cascade vulnerability problems. 



1 Introduction 

Various kinds of network security models have been introduced such as DOD 
IIS/DNSIX [1], Secure Military Message Systems (SMMS) [2], X.400 MHS Se- 
curity Model [3] [4], Secure Data Network System (SDNS) [5], Secure Unified 
Message System (SUMS) [6], Secure Communications Service Elements (SCSE) 
[7], and other approaches [8] [9] [10] [11]. Recently, SNMPvS requires the user- 
based security model [12] which defines the elements of procedure for providing 
SNMP message level security. Therefore there have been many results for net- 
work security models based on Mathematical modeling [13]. 

However, previously developed network security models are unlikely to have 
a capability to prevent the network system from being violated against the cas- 
cading. It seems to be caused by the nature of the security models. Since the 
security properties of the designed security models are mostly focused on the 
access control, partly on the information flow, it is insufficient to prevent the il- 
legal information flows on multilevel secure network. This characteristic implies 
that the information flow can take place as legal without any violation of the 
access control policy and mechanisms. 

In this paper, a new network security model are proposed for secure infor- 
mation flow on multilevel secure network. The proposed network security mo- 
del enables the network to withstand the cascade vulnerability. Therefore, the 
proposed security model is secure against the potential cascade vulnerability 
problems. 



S. Qing, T. Okamoto, and J. Zhou (Eds.): ICICS 2001, LNCS 2229, pp. 364-370, 2001. 
(c) Springer- Verlag Berlin Heidelberg 2001 
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2 Preliminaries and Assumptions 

TCSEC presents the fundamental security policies for the trusted systems. The 
security policies can be composed of MAC policy, DAC policy, label policy and 
so on. We introduce a new security policy, so called, a cascade flow control 
(CFG) policy. The CFG policy states the security requirements for preventing the 
cascade vulnerability problem. Definition 1 and Definition 2 state the concepts 
of the cascade-secure path and the cascade-vulnerable path. Definition 3 describes 
the CFG informally. 

Definition 1. Let the object imply the node or the host on the network. For 
given objects i and j on a network, let the path (i,j) be cascade-secure path if 
either the object i’s TCB(Trusted Computing Base) rating or the object j’s TCB 
rating is greater than or equal to the TCB requirement value for a pair of the 
object i’s maximum sensitivity and the object j’s minimum sensitivity. 

Statement of Definition 1 can be rewritten formally as follows: 

Let S'j ’s be an elements in the set of data sensitivity level and let C^’s be an 
elements in the set of user clearance level. Hence T{Sj, Ck) is the table containing 
the TCB requirements. Let j ^ k denote the cascade-secure path where 

Tj > T{Max{Sj), Min{Ck)) 

or 

J'fc > T{Max{Sj), Min{Ck)) 

holds, where ri is the TCB rating for each object i. 

From the previous definition of the cascading path, the cascade-vulnerable 
path is defined in order to distinguish it from the cascade-secure path. 

Definition 2. Let j ^ k denote the cascade-vulnerable path where 

T{Max{Sj),Min{Ck)) > rj 



and 



hold. 



T{Max{Sj), Min{Ck)) > rk 



Definition 3. (CFG Policy) The CFG is a method for information flow control 
based on the relationship between objects’ accreditation ranges for a given path 
on a network. The CFG policy requires the necessary information flow condition 
as follows.' 

An object i can transfer the information, that is sent from a source object j, 
to an object q only if the paths (j, i) and (j, q) are cascade-secure paths where 
the object q is the next object for routing. 

Let j and k be the source object and the destination object respectively. 
Let i be the intermediate object to route the information. Let q be the object 
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i's neighborhood object for routing in the direction of k. From the object i's 
view point, the object j's information can be transmitted to the object q via 
the object i if the paths (j,i) and {j,q) are the cascade-secure paths. In this 
case, it does not matter whether the path {i, q) is the cascade-vulnerable path 
or the cascade-secure path. The path (j,i) or (j,q) does not seem to be the 
cascade-vulnerable path even though the path (t, q) is the cascade-vulnerable 
path. Therefore, two paths (j, i) and (j, q) are sufficient to formulate the CFG 
policy. 

From the view point of the next object q, two paths (j, q) and (j, k) will be 
checked to verify whether these paths are the cascade- vulnerable paths or not. 
In this case, the information can be sent from the object j to the object k via 
the object q if the paths (j, q) and {j, k) are the cascade-secure paths. 

3 The Description of a Proposed Network Security Model 

In this section, a network security model is formally described such that it has 
a capability of the secure information flow. Let N denote the given network. 
Let Oj denote the set of information objects in the j's side. Let’s assume that 
a system state u of a given network iV is a 3-tuple < J, /, Q> where J, I and 
Q are the identities to represent the source object, the intermediate object and 
the next object for routing, respectively. 

Definition 4. (The Cascade Flow Property) A system state v =< j, i,q > holds 
the cascade flow property if 

j i,j q,o G Oj,o ^ Oi, and o ^ Oq 



implies 

Oi = Oi\J {o} and Oq = Oq\J {o} 

Let X, a system request, be a 2-tuple < OP, Q > where OP is a set of 

operations and Q is a next object of a given path. Here OP denotes a set of 

operation as OP = {in, out, route}. 

1 Let in{j,i) denote the i’s receive operation from the direction of j. 

2 Let out{i, q) denote the i’s transmit operation to the direction of q. 

3 Let route{j, i, q) denote the i’s route operation from j to the q. 

The operation route{j, i, q) implies that in(j, i) and out{i, q). 

The following definitions will be used to represent the disallowed operation: 

1 Let in(j, i) denote the disallowed receive operation. It means that i can not 
receive the information from j. 

2 Let out{i, q) denote the disallowed transmit operation. It means that i can 
not transmit the information to q. 

3 Let route{j, i, q) denote the disallowed route operation. It means that i can 
not route the information from j to the q. The route{j, i, q) implies the 
following one of cases: 
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in{j, i) and out{i, q) ; 
in{j, i) and out{i, q) ; 
in{j, i) and out{i, q) ; 

The above three cases should be distinguished to formulate the network 
security model. These three are called routein{j, i, q),routeout{j, i, q), and 
routeio{j, i, q) for each case, respectively. In the following definition, we define 
the state secure in terms of route{j, i, q) which denote the i's operation between 
state j and q 

Definition 5. A system state v = < j, i, q > is state-secure if Vj, i and 
q € N,o € Oj : j ^ i and j — >■ q <1=^ out{j,i), route{j, i, q), in{i, q),Oi = 
Oi U {o}, and Oq = OqVd {o}. 

Let’s denote a system ^ be a 4-tuple < A, V, vq, </> > where A is a set 
of system requests, F is a set of system states, vq G V is an initial system state, 
and (f> is a system transformation, that is a function of the form A x V V. 

Definition 6. A trace, , which is a function of the form A xV, oi a system 
is defined as follows: 

J|(0) means < x, t'o > as an initial trace, 
n(i) means < x, vi > if (f> < x, vq >= 

J|(n — 1) means < x, > if 4> < x, r '„_2 > = Vn-i, and, 

n(n) means < x, Vn > if 4> < x, Vn-i > = i^n 

Definition 7. A transform (j) is cascade- secure if and only if it meets the 
following conditions: 

for Va; e A, V and n* G V, and 4> < x, v > = u* , 

1 j i, o* € and o* ^ Oi* implies out{j* ^ i*), in{j* , i*), o* ^ Oi*. 

2 j* i*, j* -)> q*, o* G Oj*, o* ^ Oi*, and o* ^ Oq* im- 
plies out{j* , i*), route{j* , i*, q*), in{i* , q*), Oi* = Oi* U {o*}, and 
Oq* = Oq* U {O*}. 

3 j* — >■ i*, j* — f g*, o* G Oj*, o* ^ Oi*, and o* ^ Oq* implies 

out{f, i*), routCoutU*, i*, q*), o* G Oj, o* G Oi*, and o* ^ Oq* 

We say a transform 4> is transform- secure if and only if it is cascade-secure 
and a trace H is secure if all its states are state-secure and its transformations 
are transform- secure. Also A system ^ < X,V,VQ,<f> > is secure if each of its 
traces is secure. 

Since we already define the security of a system in terms of trace, we have 
to demonstrate the network model is secure against the cascade vulnerability in 
every states. In the following, a Basic Security Theorem is presented to prove that 
the proposed network security model is secure against the cascade vulnerability 
during the information flows. We need the mathematical induction proof on the 
number of states in the proposed network model to show it is secure in terms of 
trace as we defined. 
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Theorem. Every state of a system '^ < X,V,vo, 4> > is secure if vq is secure 
and (j) is transform- secure. 

Proof. 

We apply the mathematical induction on n. 

1 Let 1^0 be secure. Let t'o =< >• From the definition 5, — >■ and 

jO qO where o° € Ojo . Then, 

out{j^,i^), route{j^ , i^ , q^) , in{i^,q^), O^o = O^o U{ o°}, and Oqo = 
OqO U {0°}. 

2 Let = < j^, i^, q^ > where (j){x, vq) = The following cases are 

considered : 

1 By the condition 1 of Definition 7 : 

^ i^ , 0 ^ G Oji, and ^ O^i ^ out{j^ , i^) , in{j^ , i^) , and ^ Op. 
This implies vi is secure. 

2 By the condition 2 of Definition 7 : 

^ ^ ,o^ G Oji , 0 ^^ ^ Oil, and cffiOqi 

^ out{j^,i^),route{j^,i^,q^),in{i^,q^),Oii =OpU{o^}, and O^i =0,jiU{o^}. 
This implies vi is secure. 

3 By the condition 3 of Definition 7 : 

-G i^,j^ -G q^,o^ G Oji,o^ ^ Op, and ^ O^i 
=J> out{j^ ,i^),routeout{j^ ,i ^ G Oji,o^ G Op, and ^ O^i. 
This implies vi is secure. 

By 1,2 and 3, vi is secure. 

3 Suppose that irn -2 be secure (It is the induction hypothesis). 

Then, iz„_i =< z"“^, > where <f){x,i'n- 2 ) = Vn-i. The following 

cases are considered: 



1 By the condition 1 of Definition 7 : 



■n—1 



•n— 1 ^n— 1 



G Oi 






This implies z^n-i is secure. 



and o" ^ ^ Op-1 
), and o”“^ ^ Op 



-1 . 
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2 By the condition 2 of Definition 7 : 

^ ^ G i Oin-i, and o”-^ ^ O^n-i 

0^„_i = u {o"-i}, and O^n-i = 0,„-i U {o”-^}. 

This implies J^n-i is secure. 

3 By the condition 3 of Definition 7 : 



•n— 1 -n— 1 

* ,j 



Q ,0 G CJjri — 



1 , O 



^ Oin-i, and o" ^ ^ Oqn~i 



o"“^ G Ojn-i,o"“^ G Oin-i, and o"“^ ^ O^n-i. 

This implies is secure. 

By 1, 2 and 3, I'n-i is secure. 

From the results of the above 1,2 and 3 , using mathematical induction hy- 
pothesis, every state of a system ^ < X,Y,VQ,(j) > is secure. 

□ 



4 Conclusion 

In this paper, we propose the network secure model for secure information flow 
on multilevel secure network. At first, we define cascade-secure path and cascade- 
vulnerable path to induce a new information flow control policy. Even it is based 
on the new security policy assumption, called cascade flow control policy, the 
policy is practical in terms of information flow. It could be cooperative with 
role-based (access) control policy and applicable to the actual network security 
management product. And then, we define state secure of a system using trace 
which is a history of each state according to information flow. Finally we prove 
that the proposed model is secure by the mathematical induction on the number 
of states. 

The proposed network security model enables the network to withstand the 
cascade vulnerability. Therefore, the proposed security model is secure against 
the potential cascade vulnerability problems. 
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Abstract. Current network intrusion detection systems are of low in- 
telligence level and have the main deficiency as being unable to detect 
new intrusive behaviors of unknown signatures. 

The protection mechanism of natural immune system has brought us 
inspirations to design a novel network intrusion detection system. The 
research on modeling a NIDS with natural immune system just started, 
including the negative selection algorithm proposed by S. Forrest and 
the basic system model proposed by J. Kim. Based on their works, this 
paper proposed a novel system structure including affinity mutation, 
which was used to improve the performance of anomaly detection, and 
established an basic system based on artificial immunology. This paper 
stressed on the novel construction and testing experiments. Result of the 
experiments proved that the application of the protection mechanism of 
natural immune system to network intrusion detection system has an 
exciting perspective. 



1 Introduction 

The NIDS, a kind of developing system, plays an important role of network 
security [1, 2]. The protection mechanism of natural immune system is an ex- 
cellent real paradigm for research on network intrusion detection, especially 
the mechanism of recognizing non-self pathogens (namely antigen) of the im- 
mune recognition, immune evolution, immune regulation mechanism and im- 
mune memory mechanism and others. All of them can be extracted and mod- 
eled to guide the construction of a novel NIDS. This relative research has just 
started, D. Dasguptas has a good summarization in his paper[3]. The typical 
works include: S. Forrest put forward the self/non-self distinguish algorithm 
based on T-Cell immune response mechanism[4]; S. Hofmeyr analyzed the al- 
gorithm offered by S. Forrest and made an experiment about SYN attack [5]; J. 
Kim analyzed the work of S. Forrest and provided an possible network intrusion 
detection model [6, 7, 8]. 

Based on the above works and deep exploration into natural immune system, 
network intrusion means, network intrusion detection model and system based on 
artificial immunology, we design and establish a NIDS prototype. With regard 
at self-learning, based on the work of gene library evolution proposed by J. 
Kim, we apply affinity mutation to our NIDS, which mainly reflect the evolution 
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function of immune system and strongly improve the ability of detecting possible 
attacks on our NIDS. This paper describes the modules of the system and the 
corresponding mechanism and offers the result of the experiments. 

This paper is organized as follows. Section 2 introduces components of the 
NIDS based on artificial immunology and corresponding principles; section 3 is 
the experiment and experimental result; the last section is the conclusion and 
perspective. 



2 The Components of the NIDS Based on Artificial 
Immunology 

2.1 Introduction of Natural Immune Mechanism 

The basic function of natural immune system is to distinguish self from non-self, 
classify the non-self and then eliminate them [9]. Natural immune system consists 
of immune organs, immune cells and immune molecules. Immune organs consists 
of central immune organs and peripheral immune organs. Central immune organs 
are composed of bone marrow and thymus, where lymphocytes and other im- 
mune cells generate, differentiate and mutate. While Peripheral immune organs 
include lymphocytes, spleen, and catarrh tissues, where T-cell and B-cell settle 
and proliferate, and where immune system responses to antigen’s stimulation. 

Immune response can be classified into primary immune response and sec- 
ondary immune response. When the immune system is confronted with an un- 
known pathogen (namely an antigen), it can selectively generate many antibod- 
ies by bone marrow and thymus to recognize and analyze the antigen; and can 
memorize it after the antigen is recognized. This is the process of primary im- 
mune response, which normally needs a long period of time. Secondary immune 
response, which normally needs a short period of time, means that immune sys- 
tem can give out immune response quickly when the similar antigen intrudes 
again, activate the corresponding antibody, and eliminate the antigen by com- 
plex chemical responses. 

During he course of immune response, the activated immune cells undergo 
affinity mutation to recognize the antigen. Through affinity mutation, the im- 
mune system can generate lots of more efficient antibodies to recognize the anti- 
gen step by step. 

2.2 The Components of the NIDS Based on Artificial Immunology 

As the Figure 1 shows, like the model of J. Kim[6, 7, 8], this system is composed 
of PIDS and SIDS. PIDS produces detector sets and send them to all secondary 
intrusion detection systems. SIDS detects the network data traffic where it lo- 
cates, returns the result to PIDS, and drives PIDS to evolve. PIDS and SIDS 
cooperate with each other in our NIDS and make up of an NIDS, which pos- 
sesses high self-adaptive ability and can recognize both known and unknown 
signatures. 
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Fig. 1. Structure of NIDS based on artificial immunology 



Affinity mutation driven by the feedback from SIDS to PIDS is our best 
innovation, mainly, by which immature detectors have a good performance. 
Affinity mutation is the most important evolution approach to improving the 
self-adaptive ability in natural immune system and our NIDS based on artificial 
immunology. 

2.3 The Feedback Learning Ability 

As Figure 1 shows, the affinity mutation and gene library evolution are used to 
improve the detection probability. For gene library evolution, you can get enough 
information from reference [6, 7, 8]. Here we explain the affinity mutation. 

Firstly activation threshold and non-self threshold are defined. The signature 
of current network traffic will be regard as non-self if the affinity between the 
signature and any detector are over, then this signature will be feedback for 
affinity mutation and gene library evolution. If the affinity between the signature 
and any detector are over, this signature will be feedback for affinity mutation. 
By affinity mutation, the system generate lots of similar detectors to justify 
whether current network traffic is normal or not, just like the generation of the 
antibody when an antigen intrudes in natural immune system. 

3 Experiment 

3.1 System Description 

By analyzing the TCP/IP protocols and all kinds of attacks, we extract from 
network data traffic such features that can exactly reflect current network be- 
haviors as the total counts of packets, the total counts of bytes, the total counts 
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of SYN packets. According these extracted features, we define the self-pattern 
and the non-self pattern. Table 1 is our basic self/non-self pattern adopted in 
our prototype system now. 



Table 1. Self/Non-self pattern definition 



Index 

1 


Name 

RPN 


Meaning 
Destination port 


2 


SPN 


Source port 


3 


ss 


The count of SYN packet 


4 


SDN 


The count of data packet sent 


5 


RDN 


The count of data packet received 


6 


SEQ 


The value of SEQ in the IP data packet 









As a NIDS, our system can detect various attacks aiming at the leaks of 
TCP/IP, and can also detect attacks that have a great effect on network perfor- 
mance, including ports scanning and most Dos attacks. 



3.2 Practical Experiment 

We build an actual environment to test the ability of AlS-based IDS. On our 
experimental platform, PIDS is placed on gateway, every SIDS is placed on a 
terminal of internal network. In our experiment, we use only one SIDS. 

Table 2 shows some results of our experiment. 

After a lot of experiments, the abilities of this NIDS based on artificial im- 
munology is not bad, especially the ability of recognizing unknown intrusions. It 
is necessary to note that our IDS dosen’t know initially any intrusive signatures, 
and that the system can learn to detect all attacks by self-signatures and non-self 
signatures learned before. 

It must be noted that SIDS in a terminal can be configured to monitor not 
only the network behaviors of terminal itself, but also the behaviors of the subnet 
that it belongs to. 

4 Conclusion 

Nowadays, network security is an urgent problem. Current network intrusion 
detection systems can’t meet practical requirements. Natural immune system is 
a real good example to design the defensive mechanism of our open and fragile 
network, especially IDS. 

This paper introduces a feasible structure of NIDS based on artificial im- 
munology and its corresponding basic inspirations from biologic immune sys- 
tem, and put forward a new recognition algorithm and analyzes characteristics 
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Table 2. Some results of real experiment 



Attack type 


Attack tools(running system) 


AIS(Can or can’t) 


scanport 


Portsacn(win) 


Yes 


Haktak(win) 


Yes 


Netfox(win) 


Yes 


Scan.c(linux) 


Yes 


Twwwscan.exe(win) 


Yes 


Tear Drop 


Teardrop .c (linux) 


Yes 


SYN 


Syn.c(linux) 


Yes 




Running 2 hours without attacks 
(heavy network traffic daytime) 


There exists 
false alerts 




Running 8 hours without attacks 
(light weight network traffic at night) 


No false 
alerts 



of the system. Practical experiments prove that the design of detection technolo- 
gies based on protective mechanism of natural immune system has a promising 
future. 

The ultimate purpose of our artificial immune research is to extract practical 
models of theories and engineering for network security. It has just started, this 
work is the first step, and there is much more work to do in the future. 
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Abstract. In the last years, SPKI, X.509 attribute certificates, or 
KeyNote has been proposed as mechanisms to create and specify autho- 
rization certificates, access control lists, or security policies in distributed 
environments. In this work we propose a new protocol able to negotiate 
and use some of these specifications. AMBAR is a multi-layered protocol 
based on a request /response model. In general, it provides functionality 
to transmit resource access requests, the authorization information re- 
lated to those requests (credentials, ACLs), and results obtained from a 
certificate chain discovery method or compliance checker. It adds secu- 
rity by acting as a separate security layer inserted between the higher 
protocols and TCP (or another different transport protocol). 



1 Introduction 

Public key cryptography is widely recognized as being a fundamental technology 
on which several essential security services can be built. The Internet commu- 
nity is agreeing on the use of systems based on the X.509 standard [10] and 
the SSL protocol [2] in order to provide basic security services to e-commerce. 
In recent years, public key cryptography has been also proposed as a tool for 
solving the problems related to authorization and access control. SPKI/SDSI [8] 
and KeyNote [4] propose mechanisms for capturing security-relevant informa- 
tion and binding authorization data to public keys. Recently, the PKIX Work- 
ing Group published a specification [9] defining the X.509 Attribute Gertificates 
(AG) profile. However, most of the current security protocols do not provide 
any mechanism to negotiate, transmit, or process data related to authorization 
certificates or security policies. 

In this paper, we propose a new access control protocol able to negotiate 
and to use authorizations based on public key cryptography. AMBAR (Access 
Gontrol Based on Authorization Reduction) does not depend on a particular 
type of authorization or identity-based certificate, and it contains a negotiation 
phase designed to adapt the protocol to access control scenarios with different 
requirements (anonymity, confidentiality, credential recovery, etc.). In general, 
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it provides functionality to transmit resource access requests, the authorization 
information related to those requests (credentials, ACLs), and results obtained 
from a certificate chain discovery method or compliance checker. 

2 Protocol Requirements 

We consider that the access control protocol must accomplish three main goals. 
First, it must be independent of applications or higher protocols, i.e., it must 
support any application-specific authorization, policy or request. Second, it must 
be able to operate with different identity-based infrastructures and authorization 
systems. Finally, access requests must be managed efficiently with the purpose 
of obtaining a good response time. 

We can find in the literature some access control systems using authorizations 
[11]. In general, these systems process requests individually, i.e., there is not an 
implicit concept of protocol session, and therefore every request is transmitted 
together with the related credentials, ACLs, authorization decisions, etc. This 
situation is specially problematic when the communication is performed between 
the same client and server, since most of the exchanged information has been 
previously transmitted, and some calculations have already been computed. We 
consider that these protocols should be session-oriented, and they should keep a 
local cache of the information exchanged in a particular session in order to avoid 
unnecessary calculations and communications. 

Next, we state all the requirements for the protocol. We also include some 
additional requirements not commented above. 

1. The protocol must be able to negotiate which type of identity and autho- 
rization certificates will be used. 

2. It should offer confidentiality services to protect the transmitted data. 

3. The protocol must allow anonymous access to preserve user identity. Addi- 
tionally, an identified access mode must be implemented too. 

4. It must support several credentials distribution methods. In some scenarios, 
it will be suitable for a client to “push” authorizations to a server, which 
improves server performance. In other cases, it will be more suitable for a 
server to request or “pull” the credentials from an issuer or repository. 

5. The protocol must provide a method for establishing authorized data streams 
between clients and servers. Higher level protocols should layer on top this 
protocol transparently. 

6. The design must be modular in order to easily add further functionality. 

3 AMBAR Overview 

As we will see in this section, we have chosen to create an entirely new protocol 
layer for authorization. The design has been performed regarding some prudent 
engineering practices exposed in [1,3]. 

The AMBAR protocol consists of different components organized, as Figure 
1 illustrates, in two layers. 
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Fig. 1. AMBAR Architecture 



— Session Management module (SM). This module transmits the client 
and server security preferences, and generates the cryptographic data used 
by the TC layer to protect the subsequent communications (if confidentiality 
was negotiated). Clients and servers negotiate the following parameters: 

• Symmetric cipher. Parties select the symmetric cipher and its key length. 

• Operation mode. AMBAR supports two operation modes: anonymous 
client mode and fully identified. 

• Identity-based certificates. It is possible to select X.509, OpenPGP [5], 
or SDSI certificates. 

• Authorization-based certificates. AMBAR supports SPKI certificates, 
PKIX attribute certificates and KeyNote asserts. 

• Credentials distribution. Parties can select whether the credentials will 
be provided by the client (push), or will be obtained by the server from 
either a repository or an issuer (pull). 

— Request Management module (RM). The RM module transmits two 
types of messages: messages related to authorization requests and creden- 
tials; and messages related to decisions and ACLs. Contents and the se- 
quence of these messages are determined by the negotiated operation mode 
and the method for distribution of credentials. As we mentioned previously, 
a session-oriented protocol lets the ability to perform some optimizations. 
Therefore, the RM module could be responsible for optimizing access control 
computations. 

Authorization Results Management module (ARM). The ARM mod- 
ule generates notifications and transmits the demanded resources. Negative 
notifications are transmitted by the server when the access is denied. If the 
access were granted, there would be two possible response messages: an affir- 
mative notification if the client requested the execution of remote actions; or 
the controlled resource. It also enables (disables) the DSM module when an 
authorization request demanding the establishment (conclusion) of a data 
stream is granted. 

— Error Management module (EM). Systems use the EM module to signal 
an error or caution condition to the other party in their communication. The 
EM module transmits a severity level and an error description. 

— Data Stream Management module (DSM). The described re- 
quest/response model is not suitable if we plan to use AMBAR as a transpar- 
ent layer providing confidentiality, authentication and access control services. 
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The DSM module, initially disabled, controls the transmission of arbitrary 
data streams, which are enabled once a request demanding the activation of 
this module is granted. 

— Transport Convergence modnle (TC). The TC module provides a com- 
mon format to frame SM, RM, ARM, EM, and DSM messages. This module 
takes the messages to be transmitted, authenticates the contents, then ap- 
plies the agreed symmetric cipher (always a block-cipher), and encapsulates 
the results. The cryptographic data used to protect the information is com- 
puted by the SM module during the negotiation phase. 

4 Some Details of the Protocol 

In order to show some details of the messages related to the request /response 
phase, we will analyze in this section the push distribution method using its 
typical message sequence. Negotiation phase has been omitted due to the lack 
of space (more information about AMBAR can be found in [6]). Therefore, we 
will assume that both client and server have already negotiated cryptographic 
preferences and operation modes. The employed notation is described through 
the explanation of the messages. We will consider a transaction as the differ- 
ent messages related to a specific authorization request, and a session as the 
sequence of different transactions. 

In a session based on the push method, clients calculate the authorization 
proof after receiving the ACL controlling the resource from servers. 

1 Request C S {TiD,Tstep, SFlag, Request, [Asserts]° "^}^^^^^ 

2 ACL S^C{Tjo,Tstep,ACL}l^-^ 

3 Calculation C ^ S {TiD,Tste.p, Calculation} 

4 Neg_Notification S ^ C {T/d, Tstep, Notification}^^^^^ 

4 AfF_Notification S ^ C {Tiu,Notification}'l^_^^^ 

4 Resource S ^ C {Tjd, Resour 

The Request message, generated by the RM module, represents the autho- 
rization request formulated by the client. It contains an identifier of transaction 
T/d, a transaction step identifier Tstep, a flag indicating whether this is a re- 
quest for a data stream (SFlag), a set of asserts or authorizations related to 
the request, and the authorization request. Data are ciphered using KsymMsj 
and are authenticated with Kmac (derived during the SM phase). All messages 
analyzed in this section will be protected in the same way. 

The server response, generated by the RM module, is the ACL message. It 
contains the ACL protecting the resource, the same T/d included in the request, 
and an incremented transaction step identifier Tstep- 

Once the client receives the ACL, it creates a certificate chain from its public 
key to the ACL entry related to the resource. That chain may be composed by 
authorization and ID certificates, and it is the output of the certificate chain 
discovery method (or trust management engine). The client-side RM module 
sends that result to the server in the Calculation message. 
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The final step is the server response to the calculation. If the calculation 
were wrong, the server would send a Neg -Notification message. That message 
includes the error description (Notification), an incremented transaction step 
Tstep, and the Tjo identifier (included in all the ARM messages). On the other 
hand, when the server validates the request, it returns the Resource message 
(when the requested resource is a file, document, etc.) or an A ff -Notification 
message (if the request is for a remote action) . 

5 Conclusions 

We have introduced AMBAR as a new protocol able to negotiate and to use 
some of the proposed specifications for distributed authorization architectures. 
It proposes a message format for transmitting authorization information, and 
it has been designed session-oriented in order to optimize the way the autho- 
rization decisions are made (saving unnecessary calculations and transmissions). 
AMBAR does not depend on a particular type of authorization or identity-based 
certificate, and it can be easily extended to support future proposals. Currently, 
AMBAR has been implemented in C-|— I- and it is being tested using authoriza- 
tion certificates based on SPKI [7]. 
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Abstract. Secure group communication with hierarchical access control 
refers to a scenario where a group of members is divided into a number of 
subgroups located at different privilege levels and a high-level subgroup 
can receive and decrypt messages within any of its descendant lower-level 
subgroups; but the converse is not allowed. In this paper, we propose 
a new scheme CRTHACS, which is based on the Chinese Remainder 
Theorem. The scheme not only enables secure hierarchical control but 
also provides the following properties: hiding of hierarchy and receivers, 
authentication of both senders and messages, and a mechanism for the 
receiver to directly derive the key of a message. 



1 Introduction 

Secure group communication (SGC) with hierarchical access control (HAG) 
refers to a scenario where a group of members is divided into a number of sub- 
groups located at different privilege levels and a high-level subgroup can receive 
and decrypt messages within any of its descendant lower-level subgroups; but 
the converse is not allowed. HAG is generally enforced using cryptography based 
techniques [2] i.e., cryptographic keys play a primary role in the control of access 
rights. If the members in a higher level subgroup possess or can derive the key 
of a lower level subgroup, the members have the right to access the messages 
within the lower level subgroup. Gryptography based techniques for SGG with 
HAG can be divided into two main types: dependent key schemes [1],[3],[6],[8], 
in which any subgroup key is directly derived from its parent’s key; thus indi- 
rectly from any of its ancestors’ keys, and independent key schemes [5], in which 
all subgroup keys are independent and however, there are some precomputed 
parameters from which, an ancestor can compute the keys of all its descendants. 

In this paper we propose a new scheme which belongs to the second category, 
viz., an independent key scheme. The scheme is based on the Ghinese Remainder 
Theorem (GRT) [10]. In the scheme, every subgroup can select and change its 
own key independently, which is an important security factor [5]. In addition, 
the scheme also provides the following properties: (1) hiding the hierarchy and 
receivers, (2) authentication of both senders and messages, and (3) a receiver 
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can directly derive the key of the message sender regardless of how far down the 
hierarchy the sender is from the receiver. Hiding the hierarchy is a good feature 
in the sense that the less hierarchical information subgroups know, the more 
secure the system will be, and the easier it is to insert or delete a subgroup. 
Moreover, there is no overhead cost in storing the hierarchy information. Hiding 
receivers is useful in situations when outsiders (i.e., non-group members) are not 
allowed to know who the receivers are, when the sender is not allowed to know 
who the receivers are, or when it is difficult for a sender to know who the receivers 
are. We call the scheme Chinese Remainder Theorem Based Hierarchical Access 
Control Scheme (CRTHACS) and present the scheme in the next section. 



2 Chinese Remainder Theorem Based Hierarchical Access 
Control Scheme for Secnre Group Communication 

2.1 CRTHACS Components and Initialization 

There is a Group Controller (GC) in CRTHACS. The entire group is divided into 
subgroups and the subgroups are located at different nodes of a hierarchy (the 
most general case is a Directed Acyclic Graph, i.e. DAG [2]). Every subgroup has 
a subgroup controller which is responsible for managing all members in its sub- 
group and communicating with the GC. We do not consider here how subgroup 
controllers manage their subgroups, however we remark that any group key man- 
agement protocol such as the key tree scheme [7], [11] can be used. We denote 
subgroups by Gi, G 2 , • • • , G^. For simplicity, we also use Gi, G 2 , • • • , G„ to de- 
note the subgroup controllers. We also denote the ancestors of Gi by Gi ^ , . . . , Gi^ . 

The GC has a pair of public and private keys {Pgc, See) with Pac being 
made public. The GC performs the following tasks. It maintains the entire struc- 
ture of the group; generates a random set of pairwise relatively prime numbers 
iVo, Ai, A 2 , • • • , iV^; publicizes Nq and sends Ni to Gi securely, i.e., Ni is en- 
crypted by Gi’s public key Pi] computes GOM_GRTi (see equation (1)) using 
the CRT algorithm and sends GOM JGRTi back to Gi securely. 

Every subgroup Gi is associated with the following six elements 
(Pi, Si,Ki,Ni, GOM_GRTi,J\fi) where Pi, Si and Ki are generated by subgroup 
controller Gi whereas Ni,GOM _CRTi and A/”i are generated by the GC. Pi is 
the public key of Gi and is made public. However all other five elements are 
kept secret. Si is the private key of Gi corresponding to Pi. Pi and Si are used 
to encrypt and decrypt the other four elements. Ki is the data key of Gi and is 
used to encrypt data messages. Ni is the positive integer received from the GC 
and will be used in CRT computation. GOM jCRR, a positive integer, is called 
a CRT key and is computed from Ki using the CRT algorithm by the GC (see 
equation (1)). All ancestral subgroups of Gi can use GOM_GRTi to compute 
key Ki using the CRT algorithm too. Afi is also a positive integer (see equation 
(2)) and will be used in another type (i.e., data message) of CRT computation 
(see equation (3)). 

Every participant j has its own public key and private key (pj,Sj) and pj 
is made public. Participant j in a subgroup Gi also knows its subgroup’s six 
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elements, of which j receives Pi,Si,Ki from the Gi and Ni,COM JJRTi,J\f i 
from the GC. 

The GC and subgroup controllers collaborate to compute the CRT keys as 
follows. Every subgroup Gi selects its own subgroup data key Ki. After sign- 
ing and encrypting the key,^ Gi sends Ep^^{Es^{Ki)) to the GC where A is a 
public-key encryption algorithm or a signature algorithm.^ The GC decrypts the 
key Ki, determines all the ancestors Gi^,Gi^, . . . , Gi,. of Gi and figures out all 
the public keys Pi^ and CRT numbers Ni. of these ancestors. Let these param- 
eters be Pi^,Pi^, - ■ ■ , Pi,, and Ni„ , Ni .^ , • • • , . The GC establishes the system 

of congruences (1) and then computes GOM _CRTi using the CRT algorithm. 



COM^GRT, = Ep,^ {Ki) mod Ni, 

COM.CRTi = Ep^ {Ki) mod Ni^ 

. ' ( 1 ) 

COM.GRT, = Ep,^ {Ki) mod Ni,^ 

The GC also computes Mi (see equation (2)). Then the GC signs and encrypts 
{Ni,GOMMRTi,Mi), and sends the result (i.e., 

Ep,{Escc{Mi,COM_CRTi,Mi))) to Gi. The subgroup controller Gi and 
all participants in subgroup Gi decrypt the result to get M, COM_GRTi and 
AT.. 

= ( 2 ) 

Remarks: The GOM jCRTi contains the information of Pi. and Ni. of all the 
ancestral subgroups of Gi. However Gi does not know who its ancestors are. 
Moreover, even though Mi contains the Nj of its ancestral subgroups, Gi cannot 
obtain these Nj from Mi because of the difficulty of partitioning the product 
into the specific factors and in the specific order (this problem is NP-complete). 
As a result, the hierarchy is totally hidden. 

2.2 Data Communication 

Whenever a participant j with identity IDj in Gi sends a message M, it does: (1) 
encrypts M using Ki, i.e., {M^k, where {x)k means encrypting x with k using 
some symmetric encryption function [10]; (2) computes a keyed MAC of {M^k, 
under Ki, i.e. MAGKi{{M}Ki) where the MAC could be any of the known 
Message Authentication Codes, such as MD5 [9]; (3) establishes the system of 
congruences:^ 

CRT, = COMjCRT, mod Mi , . 

CRT, = E,. {MACk, {{M}kJ) mod No 

(4) computes CRR by the CRT algorithm. This CRR contains all the infor- 
mation about its ancestral subgroup keys, the MAC, and the signature of the 
sender itself; (5) broadcasts (or multicasts) the tuple {IDj, CRTi, {M}x,). 

^ In order to verify the signature, the verification information should be included in 
this message. We omit it for simplicity. 

^ For simplicity, when E is used on a private key, the result represents a signature. 

® The second congruence includes the sender’s signature in the CRT value. 
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When a receiver receives {IDj, CRTi, it does: (1) computes x = 

CRTi mod No] (2) decrypts x using j’s public key to get MACKi{{M}Ki) = 
E~^{x), where E~^ stands for the decryption algorithm corresponding to E] (3) 
If the receiver is in Gi , then it computes M AC Ki ( { -^ } /fi ) using its own it'i . If it is 
in any Gi^ of Gj’s ancestor subgroups, it first computes CRTi. = CRR mod Nt. 
and decrypts CRR to get Ki = Ea^ (CRTi ), then computes MAG/fd{M}iy ) 

under Ki. Otherwise, the receiver ignores the message; (4) compares the above 
two MACs. If the two MACs are equal, then both the sender and the message 
are authenticated. The receiver decrypts the message using Ki. Otherwise, the 
message is not intended for this receiver or the message was modified during 
transmission. Therefore the receiver discards the message. 

2.3 Dynamic Key Management 

In SGC with HAG, there are two levels of dynamics: low level dynamics by which 
we mean that a member may join/leave a subgroup and which is operated by sub- 
group controllers and is dependent on the subgroup key management protocol, 
and high level dynamics which include the following operations: adding/inserting 
a new subgroup, removing an existing subgroup, merge two subgroups, split a 
subgroup and modifying an existing subgroup key, all of which are easily done in 
GRTHAGS. For example, when a new subgroup Gi is added into the hierarchy, 
the GG computes G^’s COM.CRTi by equation (1) and sends COM .CRTi, Mi 
and Ni to Gi. If Gi has descendant subgroups (i.e., Gi is inserted into the hierar- 
chy), the GG also needs to recompute the COM JGRT values for all descendent 
subgroups of Gi so that these COM JCRT include the information of G^’s public 
key Pi and the corresponding Ni. All other subgroups are not affected. 

2.4 Security and Performance Analysis 

The GRTHAGS scheme is secure because of the independence of subgroup data 
keys and the difficulty of partitioning the product into the specific factors and 
in the specific order along with the security of underlying cryptosystems. 

As for the performance of the GRTHAGS scheme, there are three complexities 
to be considered: space, time, and communication complexity, by which we mean 
the size of key-related materials, including the GRT parameters, communicated 
between the GG and the subgroups (subgroup controllers and participants) or 
between subgroup controllers and subgroup members. There are three classes 
of entities: Group Gontroller (GG), Subgroup Gontrollers (Gi) and participants 
(pj). The complexities are summarized in the following table. 





Space* 


Time** 


Communication*** 


GC 


0{mHL) 


0{mM{HL)log{H)) + 0{mHM{L)log{L))) 


0{HL) (GC and Gi/pj) 


Gi 


0{HL) 


Independent of m and H 




Pi 


0{HL) 


0{M{2L)) + 0(2M{L)log{L)) 





Note: P[: the maximum number of ancestors a subgroup may have; L: the length 
of a large integer in bits; m: the number of subgroups; M(n): the time to multi- 
ply two n-bit integers in bit operations; 0(n) is measured in bits, not in bytes. 
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* counts the space for representing Pi, Si, Ki, Ni, COM^CRTi and Afi, which 
require large integers, possibly 1024-bit numbers but ignores the space for rep- 
resenting the access control structure or membership, which need small integers. 
** counts the complexity of the CRT algorithm, i.e., 

0{M{kL)log{k)) + 0{kM{L)log{L)) [4], [10], where k is the number of moduli 
but ignores the time consumed on key generation, encryption and decryption, 
which will depend on the special algorithms selected. 

*** the key materials between subgroup controllers and subgroup members de- 
pend on the subgroup key management protocol selected and are ignored here. 

3 Conclusion 

In this paper, we have proposed a new scheme for group communication with 
hierarchical access control. The scheme has highly desirable properties including 
scalability, the ability to deal with the dynamical problems related to inser- 
tion and deletion of subgroups, and the property of bidding the hierarchy and 
receivers. 

Acknowledgments. We thank Dr. G. Noubir and Dr. J.C. Birget for useful 
discussions on this work. 
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Abstract. In a distributed environment like the Internet, mobile agents can be 
employed to perform autonomous tasks such as searching and negotiating. 
However, for mobile agents to be widely accepted, performance and security 
issues on their use have to be addressed. In this paper, we propose a parallel 
dispatch model with secure route structures for protecting the dispatch routes of 
agents. This model facilitates efficient dispatching of agents in a hierarchical 
manner, and ensures route security by exposing minimal route information to 
hosts. To further enhance route robustness, we also propose a mechanism with 
substitute routes that can bypass temporarily unreachable hosts, using substitute 
hosts for deploying right dispatch branches and make later attempts to these 
failed hosts. 



1 Introduction 

In recent years, there have been increasing interests in deploying mobile agents 
carrying both code and data for distributed processing in an environment such as the 
Internet. For example, in electronic commerce (EC), a pool of mobile agents can be 
dispatched from a host to related e-shops to gather information, such as price, stock 
status, warranty and delivery service etc., for goods specified by a customer [1], [2], 
[3], [4]. Clearly, an efficient strategy is to dispatch a large number of agents to work 
in parallel [5], [6]. This will also provide customers with the possibility to find the 
"best" e-shop to make his/her purchases. 

However, for mobile agent technologies to be accepted, performance and security 
issues on their use have to be addressed. First, to deploy a large number of agents 
require significant overhead to dispatch the agents. Novel methods for dispatching 
agents are desirable. Second, when a mobile agent arrives at a host for execution, the 
code and data will be exposed to the host and the resources at the host may also be 
exposed to the mobile agent. Thus, security mechanisms should be set up to protect 
mobile agents from malicious hosts as well as to protect hosts from malicious agents. 
Some works have been done to protect the hosts, e.g., the access privilege protocol 
[7], [8] and the role based mechanism [9] restrict an agent’s access to resources of a 
host. Protecting the agent is also a difficult task. In particular, in EC environment, 
since e-shops are competitive, it is important to protect the routes of a mobile agent if 
it should visit a list of hosts (e-shops) or if it should dispatch other mobile agents to 
other hosts. If a malicious host knows the route information, it may tamper with it so 
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that its competitors that may offer better prices or services will not be visited. This 
calls for novel methods to be designed. 

In this paper, we focus on the issues of efficiently dispatching mobile agents while 
protecting their routes. We first present a hierarchical dispatch model, which can 
efficiently dispatch a large number of mobile agents in parallel and is robust in the 
sense that an agent can be dispatched to any of the embedded hosts by delaying the 
trials to temporarily unreachable hosts. However, this comes at the cost of exposing 
all the addresses of descendent agents to hosts and hence it is not secure in the context 
of protecting mobile agents from malicious hosts. Based on this model, we present a 
security enhanced parallel dispatch model, which will not expose the information of 
all descendent agents except the children agents. Thus, we preserve the efficiency of 
the hierarchical model while ensuring routes security. In addition, we also give a 
solution to facilitate robustness without sacrificing on security and efficiency. 

In this paper, we employ well-known cryptography technologies such as the 
asymmetric encryption algorithm, signature generating algorithm and X.509 
authentication framework [10], [11]. In the following, we assume that there exists a 
secure environment including the generation, certification and distribution of public 
keys and each host can know the authentic public key of other hosts. 



2 A Basic Security Enhanced Model for Parallel Dispatch 

2.1 Binary Dispatch Model 

In this paper, we assume an infrastructure where a set of marketplaces is connected to 
the Internet. Requests by users go through the agent running at the Master 

Server for Mobile Agents (MSMA), which is an execution environment for mobile 
agents. In MSMA, a customer agent can be created or dispatched. We call an agent a 
Worker Agent (WA) if its sole responsibility is to perform the tasks assigned to it, 
e.g., accessing data. If an agent also dispatches other agent besides performing the 
task of accessing data, it is called a Primary Worker Agent (PWA). 



Layer h„ 

Layer h, 

Layer h, 

Layerh, OAi%Ai ^A, 0A„ ^A ,3 0 A,; 



A| A 2 A 3 A 4 As A 6 A 7 Ag A 9 Aio AjjAiaAn A^AijAie 



Fig. 1. Dispatch tree with 16 WAs 
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In this section, we introduce the proposed parallel dispatch model. For simplicity, 
we restrict our discussion to a binary dispatch model where an agent can dispatch two 
other agents resulting in a binary tree structure. Clearly, the model can be easily 
generalized to dispatch multiple (more than 2) agents. As shown in Figure 1 , Amsma is 
responsible for dispatching PWAs and distributing tasks to them. Suppose Amsma has 
to dispatch 16 agents to different hosts. Now, they can be divided into 2 groups led by 
two PWAs, say Ai and A9. When agents Ai and A9 are dispatched, each of them has 8 
members including itself. For Ai, it will dispatch A5 and distribute 4 members to it. 
Then Ai will transit to the same layer (i.e., h2) as A5, which is called a virtual 
dispatch. But now Ai has 4 members only. Following the same process, Ai will 
dispatch A3 and A2. At last, after all dispatch tasks have been completed, Ai will 
become a WA and start its data-accessing task. In this model, in certain layer, a PWA 
can choose any of its members except itself to be the right child agent. In this way, 
any right branches can be surely deployed and any unreachable hosts can be bypassed 
to a later attempt. As a whole, since all PWAs are dispatched to different hosts, the 
dispatch process can be preformed in parallel. When there are «=2* mobile agents and 
At is the average time for dispatching a mobile agent, (h+l)At will be the time for 
dispatching n mobile agents in the binary way. So, the dispatch complexity will be 
0(logn). Thus, the proposed model is both robust and efficient. 

There are three alternative implementations for a PWA to create and dispatch a 
child agent in the IBM Aglet system [12]. The first approach is that the MSMA passes 
the child agent to the PWA who creates the child agent and encapsulates arguments 
such as the route and tasks and then dispatches it. This method is expected to be 
inefficient in a WAN environment. The second is to compress the framework of child 
agents to a .jar file and attach it to the PWA when it is dispatched. The child agent is 
created from the compressed file for being dispatched. The third one is to adopt the 
clone-like strategy. If some mobile agents have the same type of tasks, they can be put 
to the same group where a PWA can easily create a child agent by locally making a 
copy and modifying the static data. After encapsulating the route to the copy, the 
PWA can dispatch it to a remote host. A secure clone environment that provides 
security mechanisms to detect illegally forged agents is also an important issue that is 
out of the scope of this paper. The common feature for three alternatives is that 
arguments can be encapsulated to an agent when it is created. Here we address the 
secure dispatch route issue only with general-purpose models that can detect illegally 
forged agents, and do not restrict it to any implementation system. 



2.2 Securing the Route Structure 

In the basic binary dispatch model, to be robust, PWAs must expose all route 
information to the hosts. To ensure route security, we applied cryptographic technique 
to the model. To protect the routes, we should expose the addresses to a host only 
when necessary. For example, if an agent is at host A, and it has to dispatch an agent 
to host B, then the address of B must (obviously) be exposed to the host A; however, 
no other addresses should be exposed. 

For the binary dispatch model, it is more complicated than traditional serial 
migration model since a PWA has different dispatch tasks in different layers. Only the 
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operations for a WA are simple. For the binary dispatch model, a basic definition of 
route structure, is as follows: 

(1) For a PWA at CH, r(CH)=P^„[PWA, ip(RH), r^^, r^, 

Smsma(PWA, ip(PH), ip(CH), ip(RH), r„ r„ t)] 

(2) For a WA at CH, r(CH)=P^„[WA, ip(MSMA), ^ 

SmsmaCWA, ip(PH), ip(CH), ip(MSMA), t)] 

Where r(CH) denotes the route structure at the current host, CH, where the agent 
should go; ip(H) denotes the IP address of host H; RH and PH denote the right child’s 
host and the parent host respectively; and rj^ denote the encrypted route for the left 
and right children respectively; Pch[M] denotes the message M is encrypted by the 
public key of the current host CH; and S„s^„(D) denotes the signature signed on 
document D by host MSMA using its secret key and t is the timestamp at which 
the signature is generated, t is unique for all routes within a dispatch tree. The 
addresses of PH and CH only appear in the signature for verification. 

Starting the binary dispatch process with secure routes, the agent dispatches 
two PWAs to different hosts, each being encapsulated with an encrypted route for 
future dispatch task. We call them the first left PWA (PWAj^^) and the first right PWA 
(PWAjjj). When an agent has successfully arrived at the current host CH, the carried 
route r(CH) can be decrypted with the secret key of CH so that the agent can know: 

- it is a PWA or a WA. This is used to determine the next task of the agent; 

- the signature signed at host MSMA S„g^^(PWA, ip(PH), ip(CH), ip(RH), rj^, t) 
for a PWA, or S„,„^(WA, ip(PH), ip(CH), ip(MSMA), t)] for a WA. 

If it is a PWA, it will also know 

- the address ip(RH) of the right child host RH; 

- the encrypted route r^ for the right child agent, which can only be decrypted by the 
right child host; 

- the encrypted route for the left dispatch. 

If it is a WA, it will know the address of MSMA, ip(MSMA), the home host where 
Amsma is residing. With this address, the WA can send its result to A„g„j, 

Clearly, under this model, at any layer, only the address of the right child agent is 
exposed to the current host so that the right dispatch can be completed. For a PWA, if 
it has members, only k addresses of its members are exposed to the host. 



2.3 Algorithm for Agent Dispatch with Secure Routes 

The algorithm for dispatching agents is described as follows: 

Algorithm 1: Binary dispatch with secure routes 

Step 1 : when an agent A is successfully dispatched to host CH, it will use the secret 
key of CH, S^h, to decrypt the carried route r(CH). 

r=S,Jr(CH)] 

Step 2: if A is a WA, go to step 6, otherwise, A is a PWA, it will dispatch another 
agent to ip(RH), encapsulating the route rj^ to it. 

Step 3: if the dispatch is successful, host RH will send a message including its 
signature to CH. 



msgl=S^(Entity^„ ip(RH), t) 
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where Entityj^g is the full entity of the dispatched agent including its code, state 
and data, t is the timestamp when the agent is received successfully. 

Once getting such a message, host CH will keep S^CEntityj^^, ip(RH), t) in its 
database as a successful dispatch record. 

Step 4: Now A should try to complete its left dispatch. Let r=S(,^[rj^] 

Step 5: if A is still a PWA, go to step 2, otherwise go to step 6 
Step 6: A starts its task for data accessing 

Step 7: when the data-accessing task is completed, A will dispose after successfully 
sending a message to agent 

msg2=P„,„^[ip(PH), ip(CH), Result^^, 

Smsma(WA, ip(PH), ip(CH), ip(MSMA), t,), 

ScH(ip(PH), ip(CH), Resulted, t,)] 

where S„s^^(WA, ip(PH), ip(CH), ip(MSMA), tj is the signature from 
MSMA, which is included in the decrypted route of the agent. Here it is used 
for showing the identification of the agent. S^nCipCRH), ip(CH), Result^H, tj)] is 
the signature generated by current host CH. Result^j, is the result obtained at 
CH. PH is the parent host of CH and C>tj. 



3 Resolving Security Threats 

In this section, we will examine several security issues that will be encountered when 
dispatching mobile agents and show how our model resolves them. 



3.1 Preventing a PWA from Dispatching a Child Agent 

During the period of dispatching a child agent, a malicious host may peek the code of 
the agent and make it skip the dispatch process in certain layer after the route is 
decrypted. Note that skipping a host would mean skipping all other addresses that 
may be triggered by that host. In the worst case, assuming host Hj is the malicious 
one, as shown in Figure 1, if the dispatch of A^ from Hj is not in fact performed, those 
agents in the group including A, to A^ will not be activated. This means the successful 
interception to the dispatch of a PWA will affect all members included in the aborted 
PWA. However this attack can be detected in this model. 

Taking the case in Figure 1 as an example, if Hj makes Aj skip the process of 
dispatching agent A,, agent A„g„^ cannot receive any messages from each agent of Aj, 
Ag, A, or Ag. If this happens, since the four agents belong to the same group led by 
agent Aj, will suspect first that A, may have not been dispatched. A„g„^ will ask 
hosts Hj and H, to show whether the predefined dispatch has been performed. 
Apparently, if the dispatch has been carried out, Hj will receive the confirmation 
message with the signature Sjj 5 (Entityj^, ip(Hg), t) from H,. Hj cannot forge this 
signature without Hj’s secret key. So, no matter what Hj claims, the attack can be 
detected. 

If the skipped dispatch is for a WA, such as A, doesn’t dispatch Ag, it can also be 
detected since H, cannot show a correct signature from Hg to show the dispatch is 
successful. 
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3.2 Route Skip Attack 

There is yet another case that can be handled in this model. Consider a partial 
dispatch route: PWA A; at host H; dispatches A^ to H- and A- dispatches A^ to H^, or 
there are more PWAs between A and A^. In this model, the encrypted route 
encapsulated to a PWA includes the encrypted route for its right child agent, which 
can only be decrypted at the child’s host in the dispatch route. That means when a 
PWA is dispatching an agent, it does not know what the agent is, a PWA or a WA, 
and how many members the agent has. So the case described above that A directly 
dispatches A^ is not likely to take place without the involvement of A-. That is why the 
encrypted route is in a nested structure. In the worst case, even if R can successfully 
predict that is its descendent in the dispatch route and makes A; dispatch a forged 
agent to H^, the attack will not be successful either. 

Suppose A^ is a WA, the forged route for A^ should be 

r(H,)’=P^[WA, ip(H.), S„,„,(WA, ip(R), ip(H,), t)], 
while the genuine route should be 

r(H,)=P^[WA, ip(R), S„,„,(WA, ip(R), ip(H,), t)] 

The genuine r(HJ can only be obtained at when A^ arrives there and decrypts its 
route. So if A want to forge A., it must be able to forge S„j,j,^(WA, ip(Hj), ip(Ht), t). 
Otherwise, the attack will be detected if the address of parent host in the signature is 
not ip(R). Furthermore, the signature is also required to be included in the returned 
result for the verification by So since forging the signature is impossible, this 

kind of attack cannot success. 



3.3 Tampering a PWA to Dispatch an Agent to a Wrong Host 

Since the hosts are in a competitive situation, if a malicious host knows a host where 
an agent will be dispatched from it, and the remote host may probably offer a better 
service than itself, it may tamper the address so that the agent can be dispatched to 
another host which is known not to be able to provide a competitive offer. The tamper 
can be done just after the encrypted route is decrypted. However, when an agent is 
dispatched to a wrong host, its encrypted route will not be correctly decrypted there. 
Without the correct route, the verification process cannot be undertaken. Even if the 
destination host can get the correctly decrypted route, the route will show that is a 
wrong destination since the address of the destination host is included in the signature 
in the route generated by MSMA that cannot be tampered with. Thus, in both 
situations, the attack can be detected by the destination host and the agent will be 
returned to the sender. Meanwhile, this error will be recorded by the destination host 
for future investigation. 



3.4 Sending the Result of a WA to A„g^,^ Directly or Not 

In this model, when a WA has fulfilled its data-accessing task, it will send a message 
to directly by encrypting the result, the signature by the host as well as the 

signature by the MSMA originally included in the agent’s route. The structure is 
shown as message (2) in section 2.3. The whole message is encrypted with the public 
key of MSMA so that it can only be decrypted by agent A„g„^. We choose this way in 
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this model with regard to both security and performance issues. An alternative is that 
a PWA should be responsible for dispatching agents and collecting data from them. If 
PWA A dispatched PWA A. which dispatched WA A^ and A^ encrypted its result 
with the public key of MSMA and sent it to A^ where Hj cannot decrypt. To send the 
whole result set to A, A. should encrypt its own result together with the encrypted 
result from A^. If they are put as two separate encrypted results, deletion or tamper 
attacks may easily occur in the returning path especially when a large number of 
results are sent to a PWA. Meanwhile, this will increase the burden of a PWA and the 
performance will definitely become worse. 

A possible solution preventing the results from being tampered or deleted that may 
take place at any host where a PWA resides is for the receiving side to send a reply to 
the sending side, just like the process for dispatching. The reply should be a signature 
generated on the received message by the secret key of the receiving side. In this way, 
deletion and tampering can be detected by the verification among the MSMA, sending 
side and receiving side. However, the performance will become inferior. 

In comparison, in our model, since a WA only visit one host, the host would not 
delete the result or prevent its offer from being returned once the agent has been 
successfully dispatched there. In case the attack occurs, based on the detection of 
successful dispatch, the problem should be with the side of the host where the agent 
has arrived. In terms of performance, since each WA has different starting time and 
ending time for the data-accessing task and each offer will be in small size, the 
returned results can hardly cause the to become a bottleneck. 



3.5 Replay Attack 

In a malicious host, the replay attack may occur. Consider the following scenario, that 
a malicious H; who has a PWA residing in it and it dispatched agent A^ to host H^. 
After the normal process has been completed, Hj may replay the dispatch with a 
forged agent so that on one hand it can get the offer information from constantly 
and periodically if Hj tampers the agent so that it sends the result to Hj, and on the 
other hand, excessive agents may jam H-. However, when an agent is dispatched from 
Hj to H as a replay attack, the timestamp included in the signature from MSMA 
cannot be tampered with. By verifying the signature, H^ can easily detect the replay 
attack and Hj will face the risk to be reported. 

Similarly, another type of replay attack is for a host, which a WA had earlier 
resided, to repeatedly counterfeit the WA and send messages to the agent Since 

the is the root agent, it will be disposed of once all WAs have completed their 
tasks successfully. In addition, if repeatedly receives offers from the same host, 
it will close the communication channel and start an investigation. 



3.6 Collusion Attack 

If in a normal sequence, host H^ should dispatch an agent to H,,. Assuming H^ and H^ 
are in a collusion tie, the agent is dispatched to H^. In this way H^ and H^ make an 
attempt to skip the visit to H,, who is their competitor and send their own offers 
instead. However H^ can hardly forge the signature by H^ that should be included in 
the message returned to A„j,„^. In such a case, the counterfeited message can be 
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detected when it is returned and this will cause the investigation against and 
Since will report that no such agent has ever been dispatched to it and cannot 
show the correct dispatch record which should include the signature by H^, the attack 
can be identified. The attack can be successful only when H^, H,, and make a 
collusion attack sending a result from encapsulating the price from H^. However, in 
a healthy competitive environment, the probability is fairly low. Even if it can take 
place, the future negotiation or buying agents will visit not and if cannot 
offer the goods with the provided price, it will result in a commercial cheating, which 
is the same as a merchant’s giving a nominal price and causing the abortion of the 
purchase. This will cause the deduction of the merchant’s credit standing and little 
agents will be dispatched later to such merchants. 



4 Robustness Enhanced Extension 

So far we have presented a security enhanced dispatch model for mobile agents. 
However, like Westhoffs model [13], each PWA only knows the RH to which its 
right child agent should be dispatched at a certain stage and should the host where the 
right child agent should go be unavailable, the right dispatch branch cannot be 
deployed and all the members grouped in this agent will thereby not be activated. 

As mentioned in the section 2.1, the binary dispatch model is robust in that a PWA 
can know all the destination addresses of its children agents. It can choose any of 
them to be the right child PWA. However, its robustness is built on the basis that all 
these addresses are exposed to the host. Therefore, its robustness is not feasible with 
regard to the security. Anyway, it is clear that a PWA should have an alternative for 
dispatching its right child agent so that if the predefined right child agent cannot be 
successfully dispatched due to some reasons from the destination host, the PWA can 
have another route for the right dispatch. 

Li proposed a robust model in [14] for serial migration of agents and the route 
robustness is enhanced by dividing a route, say jip(Hj), ip(Hj), ..., ip(HJ}, into two 
parts, say {ip(Hj), , ..., ip(H;)} and {ip(Hj^j), ..., ip(HJ}, which are distributed to two 
agents Aj and \ respectively. Aj and \ are in partner relationship. Each agent 
residing at any host knows the addresses of the next destination and an alternative 
host. The latter is encrypted by the public key of its partner agent. In case the 
migration cannot be performed, the encrypted address will be sent to the partner agent 
for decrypting. With its assistance, the agent can continue its migration. 

The problem for Li’s model is that since Aj and A^ are two agents that should 
dynamically migrate, when one needs the other’s assistance, locating each other will 
be costly for both time and system resources though some mechanisms have been 
proposed by [15], [16]. Meanwhile, the model is a serial one so it is not efficient. 
Additionally, using the secret key of a dynamically migrating agent is not secure. But 
the idea of using the mutual assistance of the two agents to enhance the robustness is 
good and can be easily used in our model, where the two first PWAs in the left and 
right branches can do it better. Since they don’t need to migrate, sending messages to 
them is fairly simple and fast. Encrypting and decrypting the route using the keys of 
the host where the first PWA resides is more secure. 
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For robustness, the route structure in equation (1) can be extended as follows: 

(1) For a PWA at CH, r(CH)=P [PWA, ip(RH), r , r , r S (PWA, 
ip(PH), ip(CH), ip(RH), r,, r„ r,’, t)], where r,’=P„^Jip(SH), r(SH), 

S (ip(SH), r(SH), t)] is the substitute route for the right branch of 

host CH, SH is the new substitute host. ' 

(2) For a WA at CH, r(CH)=P [WA, ip(PH), ip(MSMA), S (WA, 
ip(PH), ip(CH), ip(MSMA), t)] 

In route structure (2), r^’ is encrypted by the public key of the first PWA in another 
branch of the whole dispatch tree, which here is termed as Assistant PWA (APWA). 

Suppose Aj is the first PWA in the left dispatch sub-tree. A_^ is the right one. If 
current host CH is the descendent of Aj, then r^’ is encrypted by the public key of A^, 
P^. Otherwise, if CH is in the right dispatch sub-tree from the root node, rj^’ is 
encrypted by P^j. 

If the dispatch failure occurred when A is dispatching A., and A is in the left 
dispatch sub-tee. A; should report it to A_^ attaching the substitute route r^’ 

msgl=PH„[ip(H), ip(H), r^’, S„,(ip(H), ip(H,), r^’, t)] 

When A_^ gets such a message, it will 

Step 1 : Detect whether H- has got down. If it is true, then go to step 2, otherwise go to 
step 3 

Step 2: Am will decrypt r^’, r=Sj,„[r^’], and send it to A^ through a message 

msg2=P„.[ip(SH), r(SH), S„,^(ip(SH), r(SH), tj, 

S„Jip(SH), r(SH), S„,Uip(SH), r(SH), tj, t,)] 

Stop. 

Step 3: If A- is in the correct state, A_„ will tell A^ about it and record the request in a 
database. 

There are two reasons for A; to send a request to A_^. One is that H- has a temporary 
failure when A is trying to dispatch an agent there. Another reason is that host Hj is 
malicious and attempts to know more addresses by sending a cheating request. 
However, the failure report will be confirmed by A^ before replying any decrypted 
routes. And the request is saved by A_^ for future investigation. 

In this way by route structure (2), a PWA will have a substitute route for the 
dispatch of its right child agent. Once the original dispatch is not successful, with the 
assistance of its APWA, it can have another destination to dispatch. 

What we should address is that the substitute host is originally included in the 
members for the right dispatch branch. Taking the dispatch tree in Figure 1 as an 
example, if the dispatch failure occurred when Aj is dispatching A^, Aj can get an 
substitute route with the assistance of A,. Suppose the substitute host is H^, Aj will 
dispatch an agent A^ to H^ and A^ will deploy the right dispatch branch. To be more 
fault-tolerant, the address of H, will still be included in this branch. But it is put to be 
a leaf node so that A, will become a WA only for another attempt to dispatch it. 
Suppose the new sequence is A^, A„ Ag and A,, in which Ag will make another 
attempt to dispatch A^. If the dispatch problem with A^ is temporary, a later attempt 
will be successful so that in such a case, all hosts will be visited as usual. If the 
dispatch failure occurred again, the reply from A, will show that A^ is a WA and no 
more substitute route will be provided. 
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5 Discussions and Conclusion 

In the proposed model, we aim to expose only the necessary addresses to hosts. If a 
PWA A; has 2‘ agents in its whole branch, only k addresses are exposed to host Hj 
since these agents should be dispatched directly by A in different layers. As a matter 
of fact, a PWA does not know what the dispatched agent is, how many members it 
has and with the security mechanisms attacks can be detected. Since this model 
adopts parallel dispatch, the dispatch efficiency is high. 

As Westhoffs model [13] adopted a fully serial migration, the migration 
complexity is 0(n) if there are n hosts to be visited and it provides secure route 
structure without any robustness mechanism. Li’s model [14] ensures both security 
and robustness. As the addresses of n hosts are distributed to two agents, the whole 
migration time can be theoretically half of that of the first model. However the time 
complexity is 0(n). In comparison, in our model the efficiency is greatly improved 
while both the security and robustness are ensured. Either the fully binary dispatch 
model or the model with 1 substitute route, the dispatch complexity is O(logn). 

With regard to the complexity for generating routes, three models have different 
performances. As pointed by [13], when the route adopts the nested structure, it will 
help to prevent route tampering or deleting attacks and detect them as early as 
possible. The nested route structure is also adopted by Li’s model and our model. 
Based on this condition, taking the time for encrypting a route as a constant for 
simplifying, the complexity for generating routes can be estimated as follows. 

For Westhoffs model, the route with n addresses can be generated after the route 
with n-1 addresses has been generated. So, the complexity T(n) can be calculated as 
T(n)^0(n) from the following, 

fT(n)=T(n-l)+C 
[_ T(1)=C, C is a constant 

For Li’s model, suppose the hosts in the predefined sequence are {Hj, Hj j, H 3 , 
..., Hj, Hjj, if host Hj.j is not reachable, will become next destination from and 
Hj j will never be visited for this journey. So the generated normal route with i-3 
addresses will be used for generating the substitute route with i-2 addresses. The 
route generating complexity with 1 substitute route is 

rT(n)=T(n-l)+2C 

\T(1)-C 

And T(n) is 0(n). 

In our model, the complexity for generating routes without substitute routes is 
T(n)=0(n), where T(n) is 

r T(n)=2T(n/2) (n=2^) 

\ T(i)=2T(i/2)+C (2<i^-’) 

[t(1)=C 

When generating the first substitute route for a branch, only a few steps should be 
taken in the left sub-branch of this branch. The number of the steps is up to the height 
h of the sub-branch. The complexity for the our model generating 1 substitute route is 
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C T(n)=2T(n/2)+C (n=2'^) 

J T(i) <2T(i/2)+hC (h<k-I, 2<i<2'‘-^) 

Im-c 

And hereby T(n) is O(nlogn). 

In our model, a failed host will be tried for a second time while Li’s model skips it. 
Otherwise the complexity of Li’s model for generating routes will become extremely 
worse since the sequence of hosts in the substitute route has been changed and the 
route should be generated again. When a route includes 1 substitute route, the 
complexity will be T(n)=T(n-l)+T(n-2)+2C , T(1)^C and T(n) is 0(T). 

For future work, we will work toward a global e-commerce framework with 
security mechanisms that is suitable for parallel processing by mobile agents. Some 
improvements should be done to current model to provide more substitute route with 
less loss of time complexity and the evaluation model on both security and 
commercial credit is also needed since in our model the hosts where APWAs reside 
are the most important to global dispatch. Based on this environment, activities on 
merchant assessment, information gathering and negotiation can be deployed by 
mobile agents automatically and safely. 
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Abstract. Proposed by Ministry of Education P.R.C, Advanced Computational 
Infrastructure (ACI) aims at sharing geographically distributed high- 
performance computing and huge-capacity data resource among the universities 
of China. With the fast development of large-scale applications in ACI, the 
security requirements become more urgent. After analyzing the background of 
ACI, the paper describes the special security needs in ACI, and then presents 
TH-SMS, a security management system based on ACI. According to its three 
level structure, the implantations of TH-SMS are discussed. Especially for task 
security management, several new security techniques KCKPT, DP-VPN are 
introduced in the paper. Finally, compared with other security systems TH-SMS 
proves to be more effective and flexible. 



1 Introduction 

With the fast development of high-performance applications, a lot of large-scale 
applications exceed the competence of only one supercomputer. Being connected by 
high-performance networks, geographically distributed supercomputers are enabling 
large-scale applications, such as scientific simulation, collaborative engineering, etc., 
which is also called as grid computing environment. Currently many effective 
research works have been done on grid computing environment all around the worlds, 
and some important advanced computational infrastructures, including National 
Partnership of Advanced Computational Infrastructure— NP ACI [I] and National 
Computational Science Alliance-NCSA [2], got successful harvest in USA. Ministry 
of Education P.R.C also proposed a grid computing project— Advanced Computational 
Infrastructure (ACI) [3], which aims at sharing high-performance computing and 
huge-capacity data resource among the universities of China. 

However, widespread usage of such applications in ACI crucially depends on the 
availability of appropriate security mechanisms. Because of using large numbers of 
geographically distributed dynamic resources, the ACI applications are different from 
traditional client-server applications. The resources in the large-scale environment are 
connected across Internet, and they could join and leave the computing environment 
dynamically. To ensure security, the resources require authentication mechanisms to 
prevent malicious users, and users also require authentication of resources to protect 
important data and to prevent the counterfeit owners of resources. As the important 
data between users and owners of resources flow are exposed in unsecured Internet, 
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the requirements for the integrity and confidentiality of data become more and more 
urgent. However, most of ACI users pay more attentions on performance of the 
parallel distributed applications instead of their security. 

Aimed at resolving complex security problems and guaranteeing high performance 
of applications in ACI, a three-level security management system TH-SMS is 
presented in the paper and two new security techniques are provided: KCKPT [4] and 
DP- VPN along with the mature security techniques. 

The paper is organized as follows: the background of ACI is described in section 
2; the structure of security management system TH-SMS is figured out in section 3; 
according to its three level structure, the implementations of TH-SMS and the new 
security techniques KCKPT, DP- VPN are discussed in section 4; related works are 
analyzed in section 5. And finally in section 6, we make some conclusions and 
address our future work. 



2 The ACI Background 



In order to effectively utilize high-performance computing and data resource, improve 
native computing technologies, and cultivate experienced experts across different 
subjects. Ministry of Education P.R.C proposed ACI project in 2000. In ACI project, 
the high-performance computers and other advanced instruments are connected 
through high-speed network, which could be shared by the universities in China to 
collaborate across different research subjects. The first step of ACI project is to 
develop an ACI testbed, which connects high-performance parallel computers TH- 
NPSC in Beijing and SU-NPSC in Shanghai with convenient Web user interface. Our 
research group realized an ACI testbed [5] in 2001. Therefore, the researchers no 
matter in Beijing or Shanghai could use geographically distributed high-performance 
computers, networks and information in ACI testbed conveniently. The final goal of 
ACI is to connect high-performance parallel computers and data centers in most 
universities of China and build a huge virtual laboratory, which facilitates the 
researchers to develop and utilize high-performance computing and data information. 
The structure of grid computing node in ACI testbed is shown in figure I . 
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Fig. 1. Grid computing node in ACI testbed 
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Most of high-performance parallel computers are composed of high performance 
SMP PCs with Linux operating systems. Based on the distributed database and 
network techniques, the software architecture of our ACI system includes security 
system, parallel development tools, performance analysis tools, parallel applications, 
application-level checkpoint system, user management system, task management 
system, and resource management system. The ACI architecture has the following 
characteristics: 

1. The integral interfaces in ACI are based on Web technology, so it is easily 
interacted and independent of computer hardware and operating systems. 

2. The main program language for developing is Java. Hence, migration of ACI 
software system to other operation systems or hardware is easy to implement. C 
program language is also adopted in some performance sensitive aspects. 

3. Information store and management are based on database. With complex index 
structures and high-performance search operations, database provides faster access 
than file systems. 

4. All computing nodes in ACI adopt Linux as their operating systems, because of its 
open source and rich software support. Hence, our security mechanisms could be 
inserted into Linux kernel leading to high security rank in ACL 

As an Internet infrastructure, ACI testbed must satisfy the security requirements of 
resource users. According to these requirements, ACI testbed should own the abilities 
to defense illegal attacks and destroys and to recover systems after disasters. 
Apparently, enhancing security capabilities in ACI testbed would affect performance 
of the large-scale distributed applications. Hence, in order to ensure high performance 
of the applications, several dynamic parallel security technologies should be 
introduced to reduce security overheads. In a word, the security problems and 
technologies in ACI testbed are more complex and comprehensive than those in 
common Internet conditions. 



3 Security Management System 

In order to support users securely developing and executing applications on 
geographically distributed parallel computers connected by high-speed network, 
security solutions in ACI should provide the following new capabilities: 

1. The capability to manage transferring of the secure logical communication links 
among parallel processes in large-scale distributed computations. 

2. The capability to manage transferring of the secure interacts between the users and 
Web user interfaces. 

3. The capability to manage authentications of users and resources. 

4. The capability to reduce overheads of the security solutions in order to guarantee 
performance of the large-scale distributed applications. 

5. The capability to recover executing of the parallel tasks after unexpectable 
disasters. 

6. The capability to ensure integrity of operating system. 

In order to satisfy the requirements of security, high-performance and convenience 
at the same time, new security policies and methods should be introduced. To meet 
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with user’s demands we present a security management system TH-SMS with three- 
level structure, based on which we could apply different security policies and tools to 
protect different levels of ACI infrastructure. Hence, user could access resources in a 
more painless and seamless way. The abstract structure of TH-SMS in ACI is shown 
in figure 2. 




The first level of security structure is interface security management between 
Internet users and Web user interfaces, and its duties are to avoid information 
between users and interfaces to be leaked or counterfeited, and to defense illegal 
attacks and intrusions. 

The second level of security structure is user security management. It stores the 
security ranks and resource limits of users into a database. When user accesses 
resources in ACI, it prevents illegal accesses and restricts different users with 
different access privileges. 

The third level of security structure is task security management. To ensure tasks’ 
security, its duties are to monitor states of the running parallel tasks, encrypt 
communication data between parallel tasks and disable hostile tasks. In order to 
recover tasks from unexpected disasters, it checkpoints middle executive images of 
the parallel tasks to prepare for later recoveries. It also ensures the integrity of 
operating system. Furthermore, in order to guarantee the performance of tasks, it 
adopts dynamic parallel security technologies to reduce security overheads. 



4 Implementation 

4.1 Interface Security Management 

In ACI testbed, the interface security management system concerns two aspects: 

1 . Prevention of illegal attacks and intrusions from Internet. 

2. Prevention of illegal information leak and counterfeit. 

Generally speaking, the security problems above are also concerned in common 
Internet WWW services, and the solutions are comparatively steady now. Hence, we 
adopt two mature security techniques in our management system to realize the 
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security capabilities above. The structure of interface security management in TH- 
SMS is show in figure 3. 




Fig. 3. Interface security management in TH-SMS 



In order to prevent illegal attacks and intrusions, we introduced firewall technique 
into TH-SMS to isolate network of high-performance computers from Internet. The 
valid services for high-performance computers are permitted to go through firewall, 
and other invalid services are disabled by firewall. Firewall was realized in Linux OS 
kernel without hardware support in TH-SMS, and the computer locating firewall has 
two network interface cards. One is connected to Internet, and the other is connected 
to local high-speed network. Special security policies are developed in Linux kernel 
for firewall to strictly check every packet from Internet. As the results, only valid 
packets from Internet could go through the firewall, and illegal attacks and intrusions 
are prevented effectively and stably. 

In order to prevent illegal information and counterfeit, we adopt Security Sockets 
Layer (SSL)[6] and Secure SHell(SSH) techniques[7] in TH-SMS. The interact 
protocols between Internet users and ACI software systems are HTTP, Telnet and 
FTP protocol, so their communication channels should be encrypted to guarantee their 
security. 

To ensure HTTP channels’ security, we adopt SSL and HTTPS protocols, and use 
OpenSSL, Apache and mod-SSL software to build security Web server. We also build 
a Certifying Authority (CA) to sign the Certificate Signing Requests, and the result is 
a real Certificate, which can be used for our secure Apache web server. 

To ensure channels’ security for protocols of Telnet and FTP, we adopt OpenSSH 
software to encrypt all information in Telnet and FTP sessions. OpenSSH is a free 
version of SSH suite of network connectivity tools, which increasing numbers of 
people in Internet are coming to rely on. Many users of telnet, rlogin, ftp, and other 
such programs might not realize that their password is transmitted across the Internet 
unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) to 
effectively eliminate eavesdropping, connection hijacking, and other network-level 
attacks. 



4.2 User Security Management 

In TH-SMS, user security management is used to protect valid rights of the valid 
users, and to prevent the illegal users and illegal resource accesses from the valid 
users. 
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The process of accessing resource of ACl testbed in our TH-SMS system is as 
follows: if a user wants to access ACI testbed, first he should apply a valid account to 
enter ACI system; after user security management system checks the information of 
the user, it would send security account and certification information to the user 
through security HTTPS or secured email with PGP sign; moreover, the information 
of the user such as the security rank, the right to access resources in ACI is recorded 
in a database behind firewall. 

When user submits a task to ACI testbed, user security management system in TH- 
SMS will check the security information of the user stored in database. If the user has 
the right to access the resource acquired by the user’s task, TH-SMS would permit 
ACI testbed to execute this task; otherwise, this requirement to submit task will be 
refused. The submitting process is shown is figure 4. 




Fig. 4. User security management InTH-SMS 



4.3 Task Security Management 

The missions of task security management system in ACI testbed include three 
concerns: 

1. To checkpoint middle executive images of tasks. 

2. To parallel encrypt communication data among high-performance computers 
connected by Internet. 

3. To prevent executions of hostile tasks. 

4. To monitor SUID programs and to protect software integrity of computers. 

4.3.1 KCKPT and TH-MPI 

Composed of large number of PCs, long-lived distributed computations in ACI have 
high risks of failure and unexpected disasters. To overcome the drawbacks, we 
provide application level checkpoint techniques in TH-SMS to store the intermediate 
executive images of tasks in ACI testbed. Therefore, when meeting with unexpected 
disasters, the executive image of task could be recovered and continue to execute after 
recovery. 

Currently more and more parallel applications are based on MPI, since the MPI 
standard has proven effective and sufficient for most of high-performance 
applications. In order to reduce checkpoint overheads, we developed a OS kernel 
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supported checkpoint technique - KCKPT [4], and designed an OS Kernel integrated 
Fault Tolerant MPl — TH-MPI [4]. With supports of fault detecting and fault 
tolerance from KCKPT in OS level, TH-MPI is implemented in a more transparent, 
effective and extensive way. With dynamic kernel module and diskless checkpointing 
technologies, checkpointing overheads are effectively reduced in TH-MPI. 
Furthermore, TH-MPI supports programs with shared dynamic library, whereas other 
fault tolerant systems couldn’t support them. Through testing in our prototype 
environment, the initial performance results of TH-MPI are stirring. With the 
techniques above, we could effectively store the intermediate executive images of 
parallel tasks and recover from an unexpected crash. 

4.3.2 DP- VPN 

In ACI testbed, it is the most possible that user’s task executes simultaneously on the 
nodes in both Beijing and Shanghai, so information required by the task is commonly 
exchanged across Internet. To ensure task security, the communication data 
transmitted between Beijing and Shanghai should be encrypted. However, leaving the 
task itself to do data encryption would increase implementation difficulties and lead 
to unnecessary developing overheads. The common way to resolve the problem is to 
utilize VPN (Virtual Private Network) [8] technique, but the overheads of encrypting 
large amount of communication data for high-performance parallel computers are 
relatively heavy. Sequentially, the routers among geographically distributed high- 
performance parallel computers will become bottlenecks. 

To solve the overhead problem above, we develop a new security technique — 
Dynamic Parallel Virtual Private Network (DP-VPN) in TH-SMS. DP- VPN, which is 
realized in IP layer, provides high-performance secure point-to-point connections. 
Therefore, the data transported among high-performance parallel computers, could be 
parallel encrypted in the IP layer of Linux kernel. Supposing there are M computing 
nodes and N routers in a parallel computer, and N«M, the main processing steps of 
DP-VPN are shown below: 

1. Developing a dynamic route table for each computing node in the parallel 
computer. When initializing the route table for each computing node, we set the 
default router of node i(0<i<M-i-l) as router j (0<j <N-i-l), and j=i mod N. When 
adding or deleting routers, we calculate and reset the route table for each 
computing node in the parallel computer and send the message to local resource 
manager. 

2. Collecting network information in time. We use SNMP protocol to collect network 
information among geographically distributed parallel computers, and send the 
information to local resource manager. All resource managers synchronize the 
network information, and save the best network route information in time for 
geographically distributed parallel computers. 

3. Developing dynamic route table between routers in geographically distributed 
parallel computers. To construct the route table, we get the best network route 
information from local resource managers. 

Among the security protocols for VPN, we adopt IPSec [9] as our basic VPN 
security protocol. We also enhance FreeSWAN [10] to support DP-VPN and set up 
the route and security policies to meet with our special purposes in ACI testbed. Each 
high-performance computer has N VPN routers to connect with other high- 
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performance computers. Therefore, the applications need not to concern security 
problems when communicating with others across Internet. However, the overheads 
of encryptions and decryptions in one router could not be ignored. If we adopt TRI- 
BES [11], a widespread encrypting algorithm, the performance of VPN router would 
decrease at least about 25%. Whereas, when adopting our DP-VPN technique, 
changing the route policies in local network and adding more VPN routers, the 
potential bottlenecks would be eliminated. 

The structure of VPN is shown in figure 5. 




Fig. 5. The structure of VPN based on IPSec 



Many hacker techniques are based on SUID and stack-flow. In order to prevent 
executions of hostile tasks, monitor SUID programs and protect software integrity of 
computers, we utilize sXid [12] to monitor the changed states of SUID programs and 
use Tripwire [13] to protect integrity of the whole software on computers. We also 
add a security patch in Linux kernel to support the unexecuteable stack in kernel. 
Conclusively, after adopting the security techniques mentioned above, ACl testbed is 
much more secured, stable and recoverable. 



5 Related Work 

For its increasing importance, many research works have been done on security 
spanning from theories to practices, especially in distributed systems. However, there 
are still few security solutions and techniques aiming at ACI systems. On the other 
hand, being a geographically distributed, dynamic, and high-performance parallel 
computing environment, ACI should acquire more attentions on its security problems. 

Kerberos [14] has been widely used from the 1980s, but its current version from 
MIT still relied on conventional cryptography and AS/TGS combination. Although 
optional Kerberos extensions, such as PKINIT, PKTAPP, PKCROSS etc., have been 
proposed to support usage of public key cryptography, Kerberos still remains a fairly 
heavyweight solution suited for intra-domain security. 

DCE is a mature distributed computing platform developed by Open Group. It is 
based on conventional shard-key cryptography with trusted third parties, and it also 
aims at the intra-domain security solutions. 

Furthermore, the security solutions in Kerberos and DCE are based on traditional 
client/server computing mode and concern little of dynamic resources and high- 
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performance parallel computing, which are the primary characteristics of ACI 
systems. Hence, they are not adaptable to the security problems of ACI-based 
applications. 

The goals of Legion project [15] based on Globus [16] are similar to those of ACI 
systems. Based on object-oriented software technology. Legion implements an object- 
based architecture for applications and provides much flexibility in particular security 
mechanisms. Every object in Legion contains hooks allowing security services to be 
added or deleted freely. However, not all the applications adopt the object-oriented 
architecture that Legion defined. Moreover, Legion only defines a high-level security 
model without actual architecture and protocols, so there are many low-level security 
problems that Legion does not concern left. 

To summarize, current security technologies for distributed computing pay little 
attentions on the complex security problems in ACI, and they primarily concern with 
client/server computing environment. Compared with other security systems, TH- 
SMS aims at the special security problems in ACI and adapts different security 
solutions to different levels of ACI-based applications to guarantee their high- 
performance and security at the same time. 



6 Conclusion 

ACI testbed is an advanced distributed system which facility users to use the 
geographically distributed high-performance computers and databases. To insure its 
security, we designed and realized TH-SMS, a security management system with 
three-level structure: interface security management, user security management and 
task security management. According to different levels of ACI infrastructure, we 
implement different security policies and techniques to ensure security 
comprehensively. Furthermore, to reduce security overheads, KCKPT and DP- VPN 
are introduced into task security management in TH-SMS. Conclusively, based on 
these security solutions in TH-SMS, ACI testbed could present safer and securer 
services for users in an effective and stable way. In the future, we will develop TH- 
SMS to support more heterogeneous architectures and operating systems connected in 
dynamic networks. 
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Abstract. Middleware gives applications an abstract view of the un- 
derlying technology. Access control policies define the authorisations of 
principals. When no suitable representation of principals is available on 
the middleware layer, policies resort to using verifiable identifiers of un- 
derlying cryptographic mechanisms. However, this approach collides with 
the aim of hiding mechanism-specihc details, which include the under- 
lying cryptographic mechanisms. This paper analyses the difficulties of 
fitting cryptographic mechanisms into a middleware security architecture 
without breaking either security or the original middleware design goals. 



1 Introduction 

To hide from applications the inherent complexities of object invocation in dis- 
tributed systems, a middleware layer is interposed between the application and 
the underlying technology, acting as a client-side proxy for target objects. To 
facilitate portability, flexibility, and technology independence, middleware archi- 
tectures specify a set of standardized interfaces between the application layer, 
the middleware layer, and the underlying technology. Interoperability and plat- 
form independence is achieved through a standardized object interface definition 
language and standardized communications protocols. 

As this paper will illustrate, middleware architectures may not represent the 
participants in the system in a way suitable for expressing security policies. 
As a result, policies need to use cryptographic identifiers from the underlying 
security technology, which breaks most of the middleware abstraction goals. 
We will discuss the problems, potential solutions, and the additional problems 
these solutions may introduce. Although the Common Object Request Broker 
Architecture (CORBA), a widely used middleware architecture, is used as a basis 
for our discussion, our analysis applies to middleware in general. 

Section 2 briefly introduces middleware, the CORBA architecture and design 
goals, and the terminology used. We will also describe the basic steps involved 
in an object invocation. Section 3 outlines the security requirements for mid- 
dleware and summarizes the main features of the CORBA Security Services 
specification. Section 4 covers the role and architectural position of cryptogra- 
phy in middleware security and examines the different choices of identifiers used 
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in security policies. Section 5 compares potential solutions for integrating cryp- 
tography into a middleware security architecture and the problems they would 
introduce, pointing to MICOSec as a proof-of-concept implementation of the 
CORBA Security Services. 



2 Middleware 

Object-oriented middleware enables software objects to transparently call other 
objects across networks. This is achieved by mediating all remote method in- 
vocations through an Object Request Broker (ORB). On a conceptual level the 
ORB is often referred to as a “software bus” , analogous to a hardware bus that 
provides hardware devices with an abstract interface to the communications 
mechanism. This conceptual entity is implemented by the ORB libraries on each 
node and by the underlying technology, which includes all mechanisms that re- 
side below the middleware layer, e.g. virtual machine, operating system, network, 
transaction monitors, security mechanisms. It is the goal of middleware to hide 
as much details of the underlying technology as possible from the applications. 

2.1 CORBA 

The Common Object Request Broker Architecture (CORBA) [C098] standard- 
izes interfaces for such an ORB. CORBA object interfaces are specified in a 
standardized Interface Definition Language (IDL), and objects can be located 
with Interoperable Object References (lORs). CORBA specifies a number of ad- 
ditional object services such as naming, events, persistence, time, and security. 
The following general design goals are postulated: 

Abstraction & Transparency: CORBA hides many of the inherent difficulties 
of distributed object computing from the application programmer. All object 
calls appear to be local invocations, i.e. the application programmer does not 
even need to know where an object is located on the network at the point the 
invocation is carried out (location transparency), as illustrated in section 2.2. 

Technology Independence & Flexibility: Object interfaces are described in IDL, 
which can be compiled into a variety of target programming languages and plat- 
forms. Thus, interfaces are independent of the programming language used to 
implement the client and server objects. CORBA also has its own communica- 
tions protocols, which run on top of a variety of conventional network protocols. 
The most commonly used CORBA protocol is the Internet-Inter-ORB-Protocol 
(HOP) specifying how CORBA messages are transported via TCP/IP. 

Sealability: CORBA was designed to support systems with a potentially large 
number of objects and users and does not pose any restrictions on these number, 
and does without unique persistent identifiers for objects. 
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Interoperability: Interoperability between objects running on compliant CORBA 
products from different vendors is facilitated by standardised communications 
protocols and an interface definition language. However, CORBA cannot always 
provide interoperability if the underlying technology does not match. For ex- 
ample, if different security service implementations use different cryptographic 
algorithms then CORBA will not be able to abstract from these inherent incom- 
patibilities - how should the recipient know how to decrypt a message encrypted 
with an unknown or unsupported algorithm? 



Portability & Reusability: Porting of objects between ORB products and re-use 
of objects in new applications is possible as CORBA standardises the interfaces 
visible from the application layer. So-called ‘CORBA wrappers’ can provide IDL 
interfaces to legacy systems. 

This paper will show that some of these design goals cannot be achieved when 
security is put in place. In particular, security clashes with transparency, scalabil- 
ity, and technology independence, and thus with interoperability and portability. 



2.2 Middleware Abstraction: Object Invocation 

This section will illustrate how the middleware architecture provides the abstrac- 
tion from details of the underlying network and object location. The application 
uses opaque object references that point to the target objects. We will go through 
the basic steps involved in an object invocation to give an understanding of how 
network abstraction is achieved (Figure 1). 







Fig. 1. CORBA Invocation 
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A so-called object adapter separates a CORBA object from the servant^ 
implementation. Object adapters are created by their underlying ORB and are 
responsible for the mapping between an object and the corresponding servant, 
and for object and servant lifecycles. There can be several object adapters per 
ORB, typically arranged hierarchically, and several objects per object adapter. 

Before an object can be invoked, it has to be registered with its object 
adapter. Depending on the particular implementation, the object adapter can 
then create the servant instance (1), or, to save resources, decide to instantiate 
the object only once it gets invoked. 

During object registration, an Interoperable Object Reference (lOR) is cre- 
ated, which encapsulates details specific to the underlying technology^. The ap- 
plication can use this reference without understanding any of the content - it is 
always used in the same way by the client (similar to the usage of a pointer in 
object-oriented programming), no matter where the target object resides, which 
type of network is used, etc. As far as the application is concerned, all details of 
the underlying network can be ignored. The object reference is thus often called 
opaque or transparent. Internally, the object reference contains mechanism spe- 
cific details used by the ORB and the underlying technology, such as addressing 
information about the target, including hostname, port number, object adapter 
identifier, and object identifier. For scalability reasons, CORBA does not provide 
unique persistent identifiers for object adapters and objects. 

This lOR is then transferred to the client (2), either through a naming ser- 
vice or by other out-of-band means. When the client tries to invoke the target, 
it supplies the lOR to its ORB (3), which uses the addressing information to 
establish a network connection to the target (4) . Then the client ORB can pack- 
age the invocation parameters into a standardized CORBA request format and 
send them across the network (5) to the target^. 

On the target side, the ORB receives the incoming request (6) and passes it 
up to the object adapter that matches the addressing information (7). The object 
adapter then passes the operation parameters up to the object implementation 
(i.e. the servant), which executes and, optionally, sends a reply back over the 
existing network connection^. 



^ CORBA divides target applications into servers, which are used to launch the ORB 
and the object implementations, and servants, which contain the actual object im- 
plementations behind the IDL interface. 

^ Only transient object references should point to object instances. If an instance 
is destroyed and re-instantiated, the old object reference should not automatically 
point to the new object as the state or the context with the object may have been 
lost. CORBA also has persistent references, which can only be used in special cases. 

® More precisely, the application inputs the arguments into so-called stubs, which 
represent the target interface on the client-side. 

^ CORBA also supports asynchronous messages called call-backs, but they are not 
relevant here. 
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3 Middleware Security 

Having illustrated how middleware can abstract the underlying network for ap- 
plications, we now turn to the basic security concepts required in middleware 
systems and discuss why it is difficult to achieve a similarly elegant solution with 
respect to middleware security. The central security component is the reference 
monitor controlling which clients can access which target objects (or, more fine- 
grained, which target operations) under which circumstances. Hence, it is clear 
that there need to be a representation of all participants in the access control 
policy. We will call this representation identifiers. 

In middleware, message identifiers are generally not directly relevant to secu- 
rity enforcement®. Messages are just a way of conveying an invocation from the 
caller to the target and back, and thus include the identifier of client or target, 
so that a policy can be enforced based on these identifiers. 

To give these identifiers a meaning, they need to be linked to the princi- 
pal they represent. A principal in a middleware system can either be a human 
user who initiates an invocation, or an object instance® which (re-) acts with- 
out human intervention. The link can be established by the middleware through 
principal authentication, which often involves checking whether the principal 
possesses a secret, such as a password or a private key. 

To avoid the need for principal authentication every time an object gets 
invoked, the authenticated identifier is stored in a credentials token. It can then 
be re-used for request authentication'^ whenever an object is invoked within the 
security context represented by the credentials tokens on both sides. Security 
context establishment securely transfers authenticated identifiers to the remote 
side, where it can be used for local security enforcement. 



3.1 CORBA Security Services 

The CORBA Security Services specification (CORBASec) [CS99] specifies the 
security functionality components authentication, message protection, autho- 
rization, audit, and optionally non-repudiation [ISOl]. Instead of implementing 
all the security functionality itself, CORBASec acts to some extent® like an API 
which calls underlying security mechanisms such as Kerberos [KN93], SESAME 

® Of course, messages do have identifiers which allow the ORBs to associate replies 
with requests, but they are not unique, are chosen at random for each message, and 
are not persistent. 

® More precisely, a principal should be linked to the information inside an object and 
not to the object instance. After all, it would be possible to re-instantiate an object 
if it crashes, and it should still have the same principal identifier. 

^ In CORBA, this is done transparently by the underlying security technology (e.g. 

SSL) whenever an object invocation occurs. 

® Some services are implemented on the ORB layer using so-called interceptors, e.g. 
access control and audit. However, they rely strongly on the services provided by 
the underlying security technology, such as authentication and message protection. 




Cryptography and Middleware Security 413 



[PP95], and SPKM, through an interface modelled after GSS-API [LJ97]. There- 
fore the functionality offered by CORBASec is always limited by the functionality 
offered by the underlying security mechanisms. 

CORBASec was first published in 1995 and consequently went through sev- 
eral updates to mitigate a number of discovered architectural problems, in par- 
ticular regarding interoperability and portability. In version 1.5, SSLIOP, the 
SSL-Inter-ORB-Protocol was added to the specification to meet industry de- 
mand. The current draft version 1.8 comprises around 450 pages. There exist a 
number of additional security-related documents, most notably the Security Do- 
main Management Membership Service revised submission [DM00], and a final 
submission for Common Secure Interoperability v2 (CSIv2), which is supposed 
to enhance the interoperability between different CORBASec implementations, 
and between CORBASec and Enterprise Java Beans. 

Although SSL is widely used as a basic security mechanism for CORBA 
security, it does not integrate well into the CORBA security architecture. SSL 
works as a secure transport mechanisms establishing a network connection as 
part of the security context establishment. Therefore SSL has to be integrated 
as an alternative transport mechanism into the ORB. This way, the security 
context is set up automatically when the ORB opens a new network connection. 



4 Cryptography and Middleware Abstraction 

Cryptographic mechanisms are used to guarantee the authenticity and some- 
times the confidentiality of claimed identifiers. Authentication protocols gener- 
ally check that a particular cryptographic key was used when a message was 
formed. The key can be the principal’s key or the key of a certification authority 
that guarantees that a particular key belongs to a particular principal. Public-key 
cryptography is often used together with identity certificates, which primarily 
bind a principal’s identifier to its public key. Alternatively, a symmetric key can 
belong to an authentication server, e.g. in Kerberos systems, which guarantees 
the identity of the principal. Access control relies on a guaranteed semantic link 
between the keys and the corresponding principals. Cryptography does not as 
such guarantee this link and one usually relies on the assumption that only the 
principal and no-one else has access to its private key. 

Once both communicating parties have checked that the expected party is 
on the remote end, cryptographic mechanisms are used for message protection. 
This can be done automatically by the network, e.g. when SSL is used. 

Cryptography also plays a role in non-repudiation. Effective non-repudiation 
can only be achieved on the application layer, because principals have to con- 
sciously agree to an action to make them directly responsible for it. Automatic 
evidence generation on lower system layers would remove that responsibility from 
the principal and is therefore not recommended. Because non-repudiation has 
to be provided at the application layer, it is not directly related to middleware 
security, and will thus not be discussed any further in this paper. 
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Fig. 2. Principal Authentication, Credentials, Request Authentication 



4.1 Architectural Position of Cryptography 

To meet the design goals of transparency, abstraction, interoperability, and 
portability, all information should have a technology independent representa- 
tion on the middleware layer. In other words, all used technology (e.g. network, 
operating system, name service) should be hidden underneath the middleware 
layer. This also applies to cryptographic algorithms and protocols, in some cases 
even to keys and certificates. 

Principals reside above the middleware layer, as they are either parts of the 
client or target application or human users who conceptually reside “above” 
the application layer. During principal authentication, the ORB associates the 
principal’s security information, such as its key and identifier (e.g. its private key 
and its X.509 certificate), with the application from which invocations will be 
made. Hence, although credentials objects reside on the middleware layer, they 
contain information specific to the underlying security mechanisms (e.g. keys). 

After principal authentication, the middleware or the underlying security 
mechanisms have access to the credentials information associated with the prin- 
cipal on whose behalf they act. Whenever the application invokes a target object, 
the credentials are used to authenticate the remote principal and to protect the 
message. In this way, many invocations can be carried out using the principal’s 
key material without the need for repeated principal authentication. Figure 2 
illustrates (exemplary for the client side) where principal authentication, cre- 
dentials, and request authentication reside in the middleware architecture and 
how they are related: 

In summary, the cryptographic mechanisms are located below the middle- 
ware, whereas the principals represented by the cryptographic identifiers reside 
above the middleware layer. The reference monitor, which resides on the mid- 
dleware layer, enforces its access control policy based on these cryptographic 
identifiers. 
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4.2 Identifiers for Middleware Security Policies 

For access control on the middleware layer, all principals and target objects need 
to have a representation in the policy. To comply with the CORBA design goals, 
this policy information needs to be technology unspecific, i.e. abstracted from 
the underlying security mechanisms. Architecturally, it would be preferable to 
represent the principals with information available at the middleware layer, but 
we will illustrate in the following why this is not possible. Also we will show why 
it is useful to have an unchanging name for target objects. 

Principal Identifiers. A client in object-oriented middleware systems such 
as CORBA does not have its own object interface and thus is by definition 
not an object. A CORBA client is only defined by the fact that it uses an 
object reference to invoke a target through matching stubs, which represent the 
target interface on the client-side. The only way to name clients effectively is by 
using the cryptographic identifiers of its associated principal, which conflicts with 
the aforementioned abstraction requirement that cryptographic material should 
reside below the middleware layer. Target-side principals could be described 
by cryptographic identifiers in the same way, but we will show below why this 
introduces additional problems on the target side. 



Target Object Identifiers. Target-side access control needs a representation 
of the target object to be able to link a policy to its corresponding object. 
The target object® could be represented by its interface, by its instance, or by 
its cryptographic identifier. Note that both the object reference and the target 
interface do not appear on the middleware layer, they are logically situated on 
the layer above. Object location and authenticated identities of the caller and 
target are concepts of the layers below. Moreover, CORBA does not provide 
unique naming of object instances as this is not scalable. 

The interface type is not a useful identifier for the target because, due to 
interface inheritance in object-oriented systems, the link to the actual imple- 
mentation running behind an interface may be tenuous. In fact, it is normally 
not possible to find the most derived interface of an object implementation. 
Although CORBA provides an interface repository that contains the interface 
descriptions and most derived interfaces of the objects, such repositories are 
not used for security purposes for performance and assurance reasons. In addi- 
tion, the interface type describes the target at the wrong granularity. In most 
cases there will be a large number of objects with the same interface (e.g. bank 
accounts), but policies often refer to particular object instances. 

® By object, we do not mean the interface or the instance of an object. For example, 
we would like to represent a particular category of bank account objects (e.g. Al- 
ice’s bank account), regardless of their particular object instances (and associated 
object references). Also there might be other bank account objects of the same in- 
terface type, so we do not mean the interface either. We rather mean the particular 
information associated with an object. 
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The target object instance is represented by its object reference, which in 
CORBA contains the hostname, the port number, the object adapter identifier, 
and the object identifier. The identifiers for object and object adapter are not 
unique, and in most cases chosen randomly by the underlying object adapter or 
ORB, respectively. Hence the object reference will change if an object instance 
gets destroyed and re-instantiated and so it is not a useful representation of the 
target object in the policy. After all, the same policy should apply to an object, 
regardless if it has been destroyed and re-instantiated or not. This shows that 
the target identifier should represent the information inside an object, and not 
the instance or interface. In example of bank accounts, the policy should be 
linked to a particular client bank account, regardless of the object instance, but 
it should not apply to all account objects with the same interface. 

The target could also be represented by its cryptographic identifier, with the 
same implications as for the client-side. However, there is often the additional 
problem that the granularity of the underlying security mechanism does not 
match the granularity required on the middleware layer. For example, if SSL 
is used, then all principals behind a particular port will have the same crypto- 
graphic identifier, which can be undesirable. 



5 Towards a Solution 

Cryptographic identifiers for principals should remain hidden below the middle- 
ware to enable interoperability, portability, and abstraction. As observed there 
is no notion for clients on the middleware layer, and although there is a notion 
for the target, this target representation can change dynamically for the same 
object^®. We will now outline how cryptographic identifiers and other target 
identifiers could be mapped onto static, mechanism-independent, interopera- 
ble identifiers, and which potential problems this introduces. In this way, both 
principals and targets can be expressed in target-side access control (or audit) 
policies. Also, target identifiers are necessary for associating policy enforcement 
rules with their respective target objects. Client-side access control policies are 
possible, but rare in practice and will therefore not be discussed in this paper. 

5.1 Cryptographic Identifier Abstraction 

Assume that principals are represented in the access control policy with simple 
name strings, such as “Alice” and “Bob”. During request authentication, the 
underlying security protocol needs access to the corresponding cryptographic 
identifier to check who is invoking the target. The mapping between the name 
string and the associated key can be either achieved through a local mapping 
table or by distributing identity certificates (e.g. X.509). However, there are 
potential semantic problems if the granularity of the underlying authentication 
mechanism is not fine enough to guarantee an unambiguous mapping. For exam- 
ple, in the case of SSL, if several principals with different names reside behind 

More precisely, for the information inside the object, not the object instance as such. 
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the same socket, they all share the same cryptographic identity. This shows that 
although this mapping is technically easy to achieve, it is often not advisable 
to abstract away the nature of the underlying security mechanism. Although it 
preserves interoperability, abstraction, and portability, it also introduces the risk 
of semantic mismatches when the underlying security mechanism changes. 

5.2 Target Identifier Abstraction 

Although the information in the object reference is transient (as explained in 
Section 2.2) it can be semi-automatically mapped onto a static domain name by 
the object adapter at the time the object reference is created (see [DM00]). The 
domain name could be provided by the administrator together with the request 
to register a new object. The object adapter then puts the mapping between the 
domain name and its own name with the randomly chosen object identifier into 
a local mapping table. 

This way, a particular user’s bank account object could always have the same 
name in the local mapping table. Whenever an invocation arrives, the middleware 
can use the information from the request (which originally came from the object 
reference) to map back to the target name. The associated policy can then be 
located by using the domain name. With this level of indirection, the policy need 
not be modified each time an object is re-instantiated, and thus abstracts the 
dynamicity caused by the scalability requirement. 

5.3 MICOSec: Proof of Concept 

As a proof of concept, ObjectSecurity has developed MICOSec [OSOO], an Open- 
Source CORBA security services implementation. MICOSec is based on the 
MICO ORB [MUOO], a C-l— I- implementation of the CORBA specifications. 
MICO was chosen for its transparent structure and its high degree of confor- 
mance to the CORBA standard. 

In its current version, MICOSec uses MICO’s built-in SSL^^ support for its 
authentication and message protection services. Both client-side user identities 
and target-side identities are based on X.509 certificates, which are managed 
by a public key infrastructure. In addition to the basic security functionality, 
domain name based access control and audit services have been implemented. 

6 Conclusion 

It is difficult to fit cryptographic security mechanisms into a middleware security 
architecture without breaking the middleware design goals such as abstraction, 
transparency, interoperability, scalability, and portability. Middleware security 
policies need to express the participants in the system, but no suitable repre- 
sentation of such participants is available on the middleware layer. There is no 

SSL is built around the concept of secure connections (sessions), which are concep- 
tually equivalent to security associations on the middleware layer. 
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notion of “principals”, client applications do not have an identifier, and target 
identifiers such as the object reference or the interface type are not suitable. 
As a result, security policies have to draw on the verifiable identifiers of the 
underlying cryptographic mechanisms. 

The reference monitor implemented on the middleware layer thus relies on the 
guaranteed identifiers of the underlying cryptographic mechanisms the middle- 
ware tries to hide^^. As a result, the whole concept of ORB level separation from 
the underlying security technology breaks: introducing the middleware layer not 
only separates the application from the underlying network, it also separates the 
security problem from the security solution. 

We have presented some potential workarounds, which involve the mapping 
of cryptographic identifiers onto a suitable representation on the middleware 
layer. Unfortunately, this approach can introduce a new set of problems related 
to the semantics and granularity of identifiers. 
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It is feasible, but difficult, to use cryptographic mechanisms on the application layer, 
but this would break most of the middleware design goals. 
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Abstract. In this paper, the cryptanalytic strength of two Hwang- 
Rao Secret Error-Correcting Code (SECC) schemes is examined under 
a known-plaintext attack. In particular, we found the existence of key 
information redundancy in all SECCs used in the electronic codebook 
(ECB) mode. Also, our investigations indicate the existence of synergism 
in the SECC schemes, that is, the security of SECC (containing three 
transformations, and E and P) is much stronger than the individual 
strength of either or E or P. 



1 Introduction 

Using error-correcting codes as cryptosystems was introduced by McEliece [1, 
2,3,4]. McEliece’s proposal was to use a Goppa code as the underlying basis of 
an ingenious public-key scheme. Rao and Nam [5,6,7] subsequently introduced a 
new approach to the private-key algebraic-coded cryptosystems requiring simple 
error-correcting codes (distance > 6 codes). Hwang and Rao [8] then devised 
a class of private key cryptosystems, called the Secret Error-Correcting Codes 
(SECCs). 

A SECC provides both data security and data reliability while retaining the 
full error-correcting capability of the introduced code for possible channel errors. 
Also in a SECC scheme, any unauthorized user would find it hard to correct 
channel errors without the decoding keys and the presence of channel errors 
introduces additional level of security to the system. In this research, we will 
examine the cryptographic strength of SECCs used in the electronic codebook 
(ECB) mode. Figure 1 illustrates the three transformations, ill and E and P, 
involved in the SECC scheme operating in ECB mode. 

The ciphertext C is given by 



C = E(’®'(M)) • P 
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Fig. 1. Hwang-Rao Secret Error-Correcting Code (SECC) 



where is a cryptographic transformation selected by the subkey K\, E is the 
encoding of an (n , k) nonlinear code selected by the subkey K 2 , and P is a 
random n x n permutation matrix selected by the subkey K^. The cryptographic 
transformation is installed with the purpose of withstanding chosen plaintext 
attacks like those done in [6] and the Preparata code [9] was mentioned as the 
underlying basis of E . 

Preparata codes [9] are a family of (n = 2’’ — 1, fc = 2'’ — 2r, 5) optimal 
double error-correcting codes, for even r > 4. The representation of Preparata 
codes in terms of polynomials over GF(2) modulo is as follows. 

Let a denote a primitive element of GE(2’’“^); g(x) the minimum polynomial for 
the a; gz{x) the minimum polynomial for the a^; {r(x)} a {2’’“^ — 1, 2'’“^ —r, 3} 
Hamming code generated by g{x)] {s(a;)} a [2’’“^ — 1, 2’’“^ — 2r, 6] BCH code 
generated by (1 -I- x)g{x)gz{x)] f{x) the nonzero code polynomial of the dual 
code of {m{x)} such that /"^{x) = f{x); u{x) = 1 -I- a; -I- -I- ... + x'^'' 

q{x) G {0, 1, x, x^, ..., b G {0, 1}. Then the 3-block binary vectors 

of the form re = [m{x) + q{x), b, m{x) + (m(l) -I- b)u{x) + q{x)-f{x) + s(a;)] 
are the codewords of the Preparata codes. 

We will examine the security of SECC using Preparata code in the presence 
of a random error vector of weight < 1, as shown in Fig. 2, we called it SECC 
Scheme I in this research. 




subkey Kj subkey 



Fig. 2. Hwang-Rao SECC Scheme I 
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In all that follows, we assume that the Preparata code of interest is fixed 
and known to the cryptanalyst, for the number of possible Preparata codes of a 
given code length n = 2’’ — 1 is , which is very small (less or equal to 48 

for code length n < 1023). In order to increase the error-correcting capability of 
SECC using Preparata codes, Hwang and Rao also suggest to use the | u | m -h v | 
code construction method [10, p. 76]. This scheme, shown in Figure 3, will be 
called SECC Scheme II. 




K, 

Fig. 3. SECC Scheme II 



For the SECC Scheme II, the ciphertext Ci is given by 

= (IE. , Ui) ■ P 
= (IE. , IE. • Q + E.) • P , 

where lE^ = Ep {Bi) , E. = El {Ai) , {Bi , Ai) = Af ^^(M.) , Ep denote the 
encoding a (n , mi) Preparata code; El is the generator matrix of a (n , m 2 ) 
linear code selected by the subkey K 2 ] k = mi + m 2 ; P is a 2n x 2n 
permutation matrix, Q is an n x n permutation matrix, both randomly selected 
by the subkeys K 3 , K 4 respectively. 

In the following sections, the cryptanalytic strength of above two SECC 
schemes is examined under a known-plaintext attack. In particular, we found 
the existence of key information redundancy in all SECCs used in the electronic 
codebook (ECB) mode. That is, we could perform exhaustive searching applied 
to the subkey Ki. and recover other subkeys. Since exhaustive searching has been 
applied, the conclusions obtained do not mean that the schemes considered here 
are cryptographically insecure, rather they show that under a known-plaintext 
attack all the additional functions introduced into the schemes do not contribute 
substantially to their cryptographic strength. To counterattack, key expansion 
might be used, where a short key is stretched into a long one [11]. 

2 A Known-Plaintext Attack to the SECC Scheme I 

Suppose we have s plaintext-ciphertext pairs, denoted by (Mi, Ci), (M 2 , C 2 ), 
..., {Ms, Cs), then our attack can be described as the following two steps. 



1 



We also use the symbol El to denote the linear code selected by K 2 
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2.1 Determining the Subkey by Exhaustive Searching 

First, we will try to find the unknown subkey K\ by a brute-force approach. 
Let Ki denote the subkey in trial, then for each given given plaintexts Mi, 
1 < i < s, compute Bi = Ep {Mi)) under the control of the trial key Ki. It is 
clear that the permutation P is a (Hamming) weight preserving transformation. 
Therefore, we can use the condition. 

weight {Bi) = weight {Ci) , 1 < * < s 

to search for the correct subkey Ki . Let pi denote the probability for a randomly 
chosen codeword of the Preparata code to have weight i, then we have pi < ^ 
for any 4 < i < n— 4, as can be seen from the symmetry of the weight enumerator 
of the Preparata codes [10, p.473]. Thus, the probability p for a false Ki to pass 
the test on s plaintext-ciphertext pairs is p < The correct subkey Ki, in 
general, will be uniquely determined if we have s > \K\\ (length of the subkey 
Ki in bits) such pairs. 

2.2 Determining the Permutation P 

Once the subkey K\ has been found, we note that 

B P = C , 



where B is the s x n matrix 



B = 



Bi 

B2 



Bs 



and C is the s x n matrix 



C = 



Cl 

C2 



Cs 



Now the permutation P can be determined by comparing the n columns in 
the matrix B with the n columns in the matrix C. 



3 A Known Plaintext Attack to the SECC Scheme II 

Our attack is based on utilizing the linearity of El , Q , and P and we will again 
assume that s plaintext-ciphertext pairs, {Mi, Ci), {M2, C2), ■■■, {Ms,Cs), are 
given. 
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3.1 Determining the Subkey 

Let Ki denote the subkey in trial and {Bi , Ai) = Af-^{Mi) . We begin by 
finding a maximal set of linearly independent solutions of 

the system of homogeneous linear algebraic equations 

AA = 0, 

where A is the s x n matrix with Aj, 1 < j < s as rows and 

A = (Ai, A2, As) 



denotes the s-dimensional vector of unknowns. We know from a well-known 
theorem in linear algebra (see, for example, [12, p. 76]) that N > s — m 2 , 
and it follows from the linearity of the (linear) code El that 



E 

i=i 



A« El(A,) = 



El ^ A« A 



c=i 



0 , i = 1 , 2 , ..., N. 



Therefore, if Ki is the right choice, then 



E^i = E^i ’ EE • Q) • p 



i=i 



C=i 






= I EE^pp(^j) ’ EE^pp(^^) • Q I • p 

1,1=1 1=1 



and hence we shall have 



2 weight E ~Ep{Bj) 1 = weight E \f Cj\ , 1 < i < N. (1) 



u'=i 



u'=i 



We then determine the unknown Ki by exhaustive searching and use (Eq. 
1) as our key identification criterion. This is a good criterion, for we know that 
under some general conditions the probability that a pair of randomly generated 
^-vectors will have the same (Hamming)weight is 



!> = 4 E (CT)“ = Aa < \ . 

r— 0 

so one can expect to determine Ki uniquely if s > m 2 + We emphasize 
that the basic idea in designing the key identification criterion (Eq. 1) is to 
eliminate the influence of the subkeys K 2 , K^, K 4 in trying to determine the 
subkey Ki. 
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3.2 Determining the Image Set T = P(0 \ n < i < 2n 

Once Ki has been found, we will determine the image set T of the half interval 
[n + 1, 2n] under the permutation P . We start with finding a maximal set of 
linearly independent solution vectors 

L > s - mi, 

of the system of homogeneous linear algebraic equations 



/iW = 0, 



where W is the s x n matrix with Wj, 1 < j < s, as rows and 

M = (M1. M2, ^J's) 



is the s-vector of unknowns. Then we shall have for each 1 < i < T, 



where 



<!)(*) = ■ P ’ 

s 

El(A,), 1 < z < L , 

i=i 



are codewords in El. Since the dimension of the linear code El is m 2 , the 
probability that there exists among these codewords a linear basis for El will 
be [13] 



p = n ' 1 - 

L— m2 + l 



which is nearly equal to 1 when s is sufficiently large, say, s > m\ + m 2 + 4. 
Now suppose such a basis does exist, then we can determine T according to the 
rule: 



A: G T 4=^ k — th component of is 1 for some i € [1, T]. 

This criterion for determining T is based on the simple observation that if we fix 
a certain linear basis of the code El, then for any 1 < fc < rz there is a codeword 
belonging to that basis such that its fc-th component will be 1. For otherwise it 
would mean that the /c-th location is redundant for the code El. 



3.3 Decrypting Ciphertexts without Knowning 1^2, ^^ 3 , -f ^4 

Once the subkey K\ is determined from the given s plaintext-ciphertext pairs, 
we could decrypt any other ciphertexts without knowing K 2 , K^, K 4 . To recover 
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the plaintexts, we arrange the numbers of the two sets T and S = — T 

in some fixed, say increasing, order as 

S — ^2: T — {ti, ^2? •••j tn} 



and for any 2n-vector 
write 



C = (ci, C2, ..., C2n) 



C(S) = (Csi, Cs2, Cs„), C(T) = (cti, Ct2, ..., Ct„) . 

Since = (i?,2l),we will first find B and A from the received error-free 

ciphertext C, then recover the plaintext M . 

To find B, let r be the dimension of the linear closure < E > of the Preparata 
code and find from among the codewords Wi, 1 < i < s, a linear basis 

, Wa, , ..., 

for < E >. As given in the above discussion, the success probability of doing 
this is nearly 1. Then we shall have 

r 

C{S) = 

k=l 

and after having computed the coefficients by solving the corresponding sys- 
tem of non-homogeneous linear algebraic equations, we shall have 

r 

w = fPo. 

k^l 

and 

B = Epi (W). 

To find A, we replace C'(T) by 

r 

C*(T) = C{T) + C„,(T) , 

k^l 

and find from among the vectors 1 < i < L, a set of m 2 linearly 

independent ones 

Once such a set has been found, C*(T) can also be expressed as a linear 
combination of them: 

m2 

C*(T) = ^ r/fc . 
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The combination coefficients ijk can be computed by solving the correspond- 
ing system of n equations in m2 unknowns and it follows from the linearity of 
El that 

m-2 s r 

^ + X ■ 

k—1 j — 1 k—1 

Plaintext M can then be obtained by 

M = , B) . 

3.4 Determining the Subkeys K 2 , Ks, K 4 

We shall illustrate how to determining the subkeys K2, K^, K4 by considering 
the case where El is an (n , m2) cyclic code generated by a polynomial 

g{x) = x‘^ + gd-ix‘^~^ + ... + go, d = n - m2 

with coefficients gi, 0 < i < d — 1 to be specified by the subkey K2- 
First, consider the generator matrix 

0 0 • • • 0 1 ga-i ■■■ gi go \ 

0 0 •••1 gd-i gd -2 ■ ■ ■ go 0 ^ 2 ^ 

1 gd-i ••• 52 5i 50 0 0 / 

together with the m2 x m2 non-singular matrix 

y/3i 

Y = 

"y dm2 

with rows 

yP>‘ = ^ Aj 

i=i 

and the m2 x n matrix 

^(/ 3 i)(T) 

^(52) (x) 

^(/3m2)(X) 

Both Y and ^ can be computed from the known plaintext-ciphertext pairs and 
we have 

G = Y~i $ R , 

where R is an n x n permutation matrix. This means the matrix G, i.e., the 
subkey K2 can be determined by reducing the product Y“^ • $ to the canonical 
form (Eq. 2 ) through column permutation. 
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Once El has been found, we can determine the value of P(n -I- i) G T, 
1 < i < n, by comparing the columns of the matrices 

dw 1 r ^>(i)(T) 

75(2) ^0)(T) 

£)(n) 

and determine the values P(i) G S by comparing the columns of 

■ vbi 1 r Ci(s)' 

W2 C2(S) 

_ IE, J !_ a(s)_ 

Finally, by comparing the first n columns with the last n columns in the 
matrix with the rows 

= Ci ■ P-1 + (0(") , El(A,)) , 1 < i < s, 

we can easily determine the permutation Q . 

4 Conclusions 

We have shown that, in the presence of sufficient plaintext-ciphertext pairs, 
both the SECC Scheme I and Scheme II can be attacked by exhaustive search- 
ing applied to the subkey Ki. Since exhaustive searching has been applied, the 
conclusions obtained do not mean that the SECC schemes considered here are 
cryptographically insecure, rather they show that under a known-plaintext at- 
tack all the additional devices introduced into the schemes do not contribute 
substantially to their cryptographic strength. To counterattack, key expansion 
might be used, where a short key is stretched into a long one. 

The above investigations also indicate the existence of synergism in the SECC 
schemes, that is, the security of SECC using nonlinear codes (containing three 
transformations, 4' and E and P) is much stronger than the individual strength 
of either 4' or E or P . 
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Abstract. Data access security in federated information systems with loose 
coupling among local data sources is hard to achieve mainly for two reasons: 
local data information source heterogeneity (data models, access security 
models, semantics...), local autonomy which do not allow to create a global 
integrated consistent security schema. To solve some of such problems we 
propose a role-based object model to describe the local data access security 
schemas (discretionary and non-discretionary models). Interoperability among 
the various local data sources is achieved by a rich descriptive layer at the 
federated level. The global security policy allows to define the choices 
concerning information flow control both for importation (from the federation 
to a local system) and exportation (from a local system to the federation). 



1 Introduction 

In the field of information system cooperation, various approaches range from tight 
integration based on global schema construction to interoperability involving dynamic 
mediation processes. Global integration leads to a consistent global data schema but 
do not respect local autonomy and is not realistic when numerous information sources 
are willing to cooperate. On the other hand, loose coupling provides a good 
framework for scalable federative systems but requires knowledge-intensive 
processes to dynamically accommodate different data models and contexts [1]. In 
such approaches the main issues are related to data models discrepancies, semantic 
heterogeneity and security models inconsistencies. 

Security in federated databases is very complex because a large set of diverse users 
is expected to use a pool of component databases containing data of varying 
sensitivities with different security requirements. 

Two main assumptions are taken in federated databases: autonomy and 
heterogeneity [2]. The first refers to the ability of the local database system to retain a 
most large degree of control over the aspects of the federated system. The highest 
heterogeneity level is the semantic heterogeneity between local entities of the 
federation. Another heterogeneity problem is the difference between local 
organizational security methods (different schemes of user types and objects). 
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Federated security systems must support both open and / or closed security axioms 
and logical access modes. 

In database federation security plays an increased role. As the need to share 
information securely and the need to maintain the autonomy of local databases joining 
a federation often present conflicting requirements, some of the aspects of autonomy 
have to be sacrified in order to achieve an actual federation. Flowever, local database 
administrators would only offer their local data to the federation, if secrecy and 
integrity were still guaranteed. So, the federation security system has to be at least as 
secure as each of the local systems and on the other hand as transparent as possible to 
users. 

To deal with both semantic heterogeneity and security in a federated context, we 
conciliate an object oriented model as a canonical descriptive model and a role based 
access model as a canonical security model. Since local information systems actually 
cooperate, a loose coupling among them exists. 

In section 2 and 3 we discuss some related works and present our approach. In 
section 4 we expose the canonical model; in section 5, local security model is shown. 
Section 6 presents the federated flow control policy. 



2 Related Works 

Several approaches are used to define federated security models: 

using views and granting authorizations on the views to allow or prevent a global 
user to access information within a federation. In GoyaTs [3] approach access 
rules are used to authorize or deny the access to a global view, 
extending an existing access control model (such as DAC or MAC) to deal with 
the problems of autonomy and heterogeneity. 

The CHASSIS (Configurable, Heterogeneous, And Safe, Secure Information 
Systems) project [4] is a tight coupled system with discretionary access control and a 
right granting system. In tightly coupled systems, a federation authority exists and the 
federated database system has its proper access model. In case of conflicts, 
prohibitions override permissions. Access rights can be granted to individual users 
and to roles. Multiple role activation is controlled by an activation conflict relation. 
Several rules exist to infer implicit rights according to the data model. In this 
approach the global schema has more importance than local ones. Some other 
propositions [5] use a multi-level access control but in a relatively compatible and 
homogeneous database system. Several propositions [6] and [7] use a role-based 
access control model for DAC and MAC simulation in non federated systems but 
their approaches of access model heterogeneity are relevant for database federation 
security. The AMAC model uses both MAC and DAC models at the federated level 
[8]. It supports an automated labeling object system to compute large data queries in a 
federated system. These approaches have two limitations: the federated manager has a 
bad local security visibility and the sub-transaction (part of the global query) to a 
local system could be aborted later affecting the performance of the federated system; 
the lack of logical secured architecture do not permit how the federated security can 
be enforced. 
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One of the issues in the Distributed Object Kernel (DOK) [9] is the development of 
a federated access control and a secured logical architecture. It allows the DOK 
system to enforce federated security policies in the context of autonomous, distributed 
and heterogeneous databases. The authors consider DAC and MAC access control. 
The federated level of the DOK system supports a bottom-up approach for access 
control: the Global Access Control (GAC) is derived from all the local security 
policies and ensures that no violation or overriding of local policies is possible. The 
DOK system is an open system: the federated access list for an aggregate is explicited 
as a union of the different security information defined in the local databases. If only 
one database allows the reading of the aggregate, according to global policies, the 
user has ’read access’ to the required information. 

Some propositions focus on security object similarity evaluation like [10]; the 
authors propose similarity criteria and associated metrics to compare security 
specifications of different applications. They consider security specifications 
according to a role-based model providing powerful authorization mechanisms 
suitable for similarity analysis. They use a set of basic criteria called affinity criteria 
(like synonymy, genericity. . .), some dictionaries of terms and roles, and a global 
similarity coefficient to compute the authorization affinity between two roles. They 
deal with the highest level of data semantic heterogeneity and not with the access 
model heterogeneity level. 

Security in federated information systems is a critical issue. When a high security 
level is defined it often implies a tight coupling among local databases. Similarly a 
loose coupling leads to local information sources autonomy and consequently to a 
poor global security level. 



3 Our Approach 

We propose a global framework dedicated to autonomous preexisting data sources 
cooperation provided with an acceptable security level based on a rich descriptive 
object oriented layer. 

To constitute the descriptive layer we define metadata insuring an homogeneous 
representation of each local available information source [11], [12]. The layer 
supports global queries treatment through Data Descriptive Objects (DDO) and 
Semantic Links (SemL). DDO and SemL are dedicated to the abstract description of 
the local data entities structure and the semantic links among them. For a given data 
model (relational, object, rule-based...) a set of DDO classes is defined to allow a 
description of the model as precise as required at the federated level. Thus for each 
local data entity a DDO is instantiated in the descriptive layer. To improve the 
expressiveness of the description, a set of SemL classes is also created (notice that 
SemL are not data model dependent) to express semantic links among the data. It 
allows to implement inner links at the local level as well as inter-database links: 
semantic links like synonymy, hyperonymy and hyponymy describe syntactic and 
conceptual equivalencies among the data entities. The resulting semantic network 
constitutes a knowledge base used for global imprecise queries processing. 
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We use a Role-Based Access Model [13] to describe each local security policy at 
the global cooperation level. This model is enriched by specific metadata describing 
data manipulation rights. We do not use data definition rights and rights 
administration concepts in global system with the loosely cooperation hypothesis. 
Such access rights are administrated only by local data owners or "security officers". 
RBAC models are efficient for simulating other access policies [14], [15] and respect 
the loosely coupled cooperation hypothesis. The local security items are modeled with 
two concepts: the security object (passive data entity) and the security subject (active 
entity like user) are described with Security Descriptive Objects (SDO) which are 
instantiated from SDO classes (Data, User...). The Application SDO class describes 
the general security strategy of the local system. The local security authorization units 
like groups (DAC policies), roles (RBAC policies) or MAC "containers" (result of 
Cartesian product between MAC category and MAC classification hierarchy of the 
local model) are described by Access Policy Descriptive Objects (APDO). Each SDO 
references related semantic descriptive objects (DDO). The overall security 
accommodation process of the local information sources is as follow: 1- lexical and 
data semantic description, 2- description of each local security exported schema with 
the corresponding security descriptive classes, 3- distribution in security domains at 
the global level. The security domains are sub-graphs extracted from the object 
security descriptive layer providing a secured functional frame. We now present 
security metadata insuring a global secured framework for the cooperation structure. 



4 The Federated Canonical Model 

The figure 1 highlights our data and security canonical model. Successively we 
specify local access policy descriptive classes, local access schema descriptive classes 
and link classes. 

Our objectives are: 

to represent local access schemas respecting different access policies (DAC, 
MAC, RBAC). 

to establish access equivalence between described schemas, 
to control the federated information flow with: 

- the respect of local user profiles. 

- the respect of local exportation policies (information flow from a local 
system to the federation). 

4.1 Local Access Policy Descriptive Classes 

Access Policy Descriptive Object (APDO): 

An Access Policy Descriptive Object is defined by the tuple < FID; LD; LAP; 
LAMT; LMT; {role} >. FID is the Federated Identifier of the local system; LD is the 
Local Designation. LAP is the Local Access Policy which can be chosen in the set { 
DAC; RBAC; MAC®; MAC^ } with DAC for Discretionary Access Control [16], 
RBAC for Role-Based Access Control, MAC® and MAC^ for respectively mandatory 
model with strict ☆-property and mandatory model with liberal ☆-property [17]. 
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LAMT is the Local Access Mode Table and defines the correspondences between the 
local access modes and the federated access modes. The Local Mandatory Table 
(LMT) defines the correspondences between the local secrecy hierarchy level of a 
mandatory system and the federated secrecy level hierarchy. LMT attribute is null- 
valued in case of DAC or RBAC system description, {role} is a set of Roles which 
describe discretionary user group, role and mandatory category. 




Data Descriptive Model 

Fig. 1. UML [18] representation of Data and Security Descriptive Model. 

Local Access Mode Table (LAMT): 

At the federated level we use five logical access modes: read-only (r), execute (x), 
append (a), upgrade (u) and delete (d) with r_Lx±a_Lu_Ld. Each local access mode 
is described by a federated access mode combination. For example, in Unix system 
the "write" access mode is described by the federated access mode combination a + u 
+ d. All the local access mode descriptions are defined in the Local Access Mode 
Table. 
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Local Mandatory Table (LMT): 

The Local Mandatory Table defines a local secrecy hierarchy in a mandatory system. 
Each sensibility level is associated with its index in the hierarchy. The dominate level 
is always the first. The LMT references all the local sensibility couples. For example, 
a local system with the hierarchy of sensibility Non- 
Classified < Classified < Secret < Top Secret is described by the LMT {(Non- 
Classified,!); (Classified;2); (Secret;3); (Top Secret;4)}. 



4.2 Local Access Schema Descriptive Classes 

Security Object Class (SOC): 

A Security Object represents a secured entity of the local access schema. A SO is 
defined by the tuple < FID; LD; ML; DDO >. FID is the Federated Identifier of the 
local resource. LD is the Local Designation. FSL is the Federated Sensibility Level. 
This attribute is null in case of DAC or RBAC model description. DDO is a 
referenced Data Descriptive Object. Each local secured data is described by one to n 
Security Objects and one Data Descriptive Object (see section 5). 

User: 

A User Object describes a physical user of the local access schema. A User is defined 
by the tuple < FID; LD; FSL >. FID is the Federated Identifier of the local user. LD is 
the Local Designation and FSL, the Federated Sensibility Level. This attribute is null 
in case of DAC or RBAC model description. 

Permission: 

A Permission defines the access mode combination the Subjects Descriptive Object of 
a given role is allowed to execute on one Security Object. 

An Access Rule is defined by the tuple < so; m > with so a SO reference and m a 
federated access mode combination. 

Our access model is a closed security system: all non-authorized accesses are 
forbidden. 

Role: 

A Role is used in two cases: to represent a local discretionary user group, or to extract 
each sensibility level of a local mandatory category. 

A Role is described by the tuple < FID; LD; FSL; {Permission}; {User}; {AFIL} 
{CLO}; {AELO} >. FID is the Federated Identifier of the described element. LD is 
the Local Designation of the described element. FSL is the Federated Sensibility 
Level. This attribute is null in case of DAC or RBAC model description. 
{Permission} is the set of Permissions which defines access modes to Security Object 
that are allowed for the Subject Descriptive Object. {AHL} is the set of Access 
Heritage Links. {CLO} is the set of Constraint Link Objects, and {AELO}, the set of 
Access Equivalent Link Objects (see the section 5). 
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4.3 Link Classes 

Access Heritage Link (AHL): 

An Access Heritage Link defines an access mode combination from a "father" role to 
a "son" role with the tuple < "father"; "son"; Mode > where "father" is the "father" 
role reference, "son" is the "son" role reference and Mode is a federated access mode 
combination that Subject Descriptive Objects of the "father" role are allowed to 
execute on all the Security Objects of the "son" role. A null Mode means that all SDO 
of the "father" role may execute Access Rules of the "son" role (complete access). 

Constraint Link Class (CLC): 

Two types of Constraints are used in our system: 

An Exclusion Constraint Link Object (ECLO) references two or more roles. A User 
can be referenced in only one role in a set of roles which references the same ECLO. 
An Activation Constraint Link Object (ACLO) references two or more roles. For a 
given user session a User is active in only one role even if it is referenced in other role 
of the same ACLO. 



5 Local Access Policy Description 

The security canonical model is used to describe Discretionary Access Policy (group 
model and role model) and Mandatory Access Policy (with mono or multi level or 
polyinstantiation) . 



5.1 Discretionary Model Description 

Discretionary security models govern the users’ accesses to information on the basis 
of the users’ identities and of rules. These rules specify, for each user and secured 
resource in the system, the type of access the user is allowed to apply on the resource. 
We consider the discretionary model in the federation descriptive system with the 
following concepts: user, secured resource, access mode, positive access rule 
(authorization), negative access rule (interdiction) and user group (with inclusion 
relations between user groups). 

A local discretionary access system is described with the three entity types presented 
above. Five steps are required: 

Access Model Descriptive Role instantiation: The Local Access Mode Table is 
created and contains the federated access mode combinations (equivalent to each 
local access mode). 

For each local user and local secured resource, are created respectively one User 
and one Security Object. Each Security Object is connected to its Data 
Descriptive Object. 

For each Security Object, are created as much Roles as there is different local 
access rules (i.e. different combinations of access modes) in the Access Control 
List of the local secured resource. A Permission (with the proper combination 
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mode) binds each Role and the related Security Object. The Users are referenced 
in the Role so called Direct Access Role. 

For each local user group, a Role is created. The corresponding Users are 
referenced in the role. To provide an access to the group resources several 
permissions are instantiated and define users group rights on each resource: each 
permission references the Security Object and is referenced in the role. 

For each inclusion relation between two local user groups, an Access Fleritage 
Link Object is created and links the two corresponding roles. The AHL mode is 
not specified: a user of the "father" group can access to the Security Object of the 
"son" group. 

5.2 Mandatory Model Description 

Mandatory security models govern the access to information on the basis of the 
classification of subjects and objects in the system [17]. Objects are passive entities 
storing information. Subjects are active entities accessing the objects. Generally, a 
subject is considered to be an active process operating on user’s behalf Mandatory 
access classes are associated with every object and subject in the system. A secrecy 
level hierarchy (with the relation "dominate") is used to qualify each object and 
subject (mandatory clearance). 

Two axioms define access rules of a subject to an object (referenced in the same 
category): 

Read axiom: A subject with a mandatory clearance c can read all the objects with 
a secrecy level dominated by c. 

Write or ☆-property: A subject with a mandatory clearance c can write on all 
objects with a secrecy level strictly equal to c (strict ☆-property) on all objects 
with a secrecy level dominating c (liberal ☆-property). 

Mandatory models can belong to three categories relatively to the security object 
granularity. In single-level mandatory models, the components of Security Objects 
(i.e. attributes in an object class or in a relational table) have the same secrecy level 
[19], [20]. In our proposition, each mandatory object is described by one single SO 
(security description) referencing one DDO (data description). An attribute must have 
the same Mandatory Level as its class level. In multi-level mandatory models, 
attributes in an object class or in a relational table are mandatory objects. Their levels 
of sensibility can dominate or be equal to the level of sensibility of their classes / 
relational tables [21], [22]. Each mandatory object is described by one single SO 
(security description) referencing one DDO (data description) but in this case. 
Mandatory Levels of Attribute and classes / relational tables are not necessarily equal. 
In poly-instantiated multi-level mandatory models. Instance attribute can be multi- 
valued. The attribute value captures the secrecy level equal to subject’s clearance level 
[23]. Each attribute is described by one DDO and n SO (SO have different Mandatory 
Levels); n is the secrecy level number in the local mandatory hierarchy of sensibility. 
A local mandatory access system is proposed in six steps: 

A Local Model Descriptive Object describes the local access security policy. 
First the Local Access Mode Table is created and contains the federated access 
mode combinations which is equivalent to each local access mode (mainly read- 
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only and write-only local access modes). Then the Local Mandatory Table is 
created to translate the local secrecy level hierarchy. 

For each local subject with a given clearance level cl, is created a User with 
secrecy levels. Ex: Mr. Smith has a clearance level “Secret” in a mandatory 
system with the LMT {(Non-Classified,l);(Classified;2);(Secret;3);(Top 
Secret;4)}. Mr. Smith subject is described by three UDO with the Mandatory 
Clearance 3. 

Security objects describing the local mandatory objects: 

Single level objects with a given secrecy level si: is created one SO with a 
Mandatory Level equals to si. The SO points to its related DDO. 

Poly-instantiated objects in a lattice-based access model: are created as much SO 
as there is secrecy levels in the local sensibility hierarchy. Each SO has a 
different Mandatory Level. All the SO reference a single DDO. 

For each local mandatory category is created as much roles as there is secrecy 
levels in the local sensibility hierarchy. The User (subject of the local mandatory 
category) having a Mandatory Clearance n is referenced in the role with a 
Mandatory Level n. 

Mandatory security axioms: 

Read axiom and strict ☆-property: 

For each role with a Mandatory Level n are created two permissions (with 
mode = a+u+d ~ write and with mode = r for read) per SO referenced in the 
role. 

In a described local mandatory category, Access Heritage Links (with mode 
= r) bind each role of a given level n (dominant) with the role of the level n-1 
(dominated) providing a descending read access heritage. 

Read axiom and liberal ☆-property: 

For each role with a Mandatory Level n is created two permissions (with 
mode = a+u+d ~ write and with mode = r for read) per SO referenced in the 
role. 

In a described local mandatory category, Access Heritage Links (with mode 
= r) bind each AMDR of a given level n (dominant) with the AMDR of the 
level n-1 (dominated) providing a descending read-only access heritage. 

In a described local mandatory category. Access Heritage Links (with mode 
= a+u+d) bind each AMDR of a given level n (dominated) with the AMDR 
of the level n+1 (dominant) providing an ascending write-only access 
heritage. 

The Figure 2 illustrates such a local mandatory model description. The local 
mandatory model is composed of: 

A local single-level mandatory policy with a liberal ☆-property (EX2 IS:APDO). 
The following Local Access Mode Table: Read (r) and Write (a+u+d). 

The local hierarchy of sensibility is Non-Classified (NC), Classified (C), Secret 
(S) and Top Secret (TP) with the dominate relation ">": TS > S > C > NC. The 
Local Mandatory Table is: 1. Non-Classified, 2. Classified, 3. Secret and 4. Top 
Secret. 

A mandatory category: Finance. 
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The following Objects of the category Finance: Sales Result (NC), Salary (C), 
Account 105 (S), Financial Plan (TS) 

The subject Smith with "Secret" clearance level belonging to the category Finance. 




Fig. 2. An example of mandatory model description with liberal ☆-property. 



The User 018 is created with Mandatory Clearance 3. The User is referenced in the 
right role. 

The "read" axiom is implemented by a descending access heritage (AHL with 
Mode = r). The liberal ☆-property is implemented by an ascending access 
heritage (AHL with mode = a +u +d). This heritage does not exist in a 
mandatory model with strict ☆-property. 

An Activation Constraint Link Object is referenced by the fourth role and forbids 
the simultaneous activation of Smith’ s User. 

This MAC schema description respects the MAC information flow acyclicity (see the 
grayed sensibility hierarchy of Mr. Smith’ s session). 
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6 Federated Flow Control Policy 

In each local information system the security manager must define the flow control 
policies adapted to the exchanges between the system and the federation. The import 
policy (input flow of the local system) is defined to be strict. Each local system must 
respect it. The export policy (output flow of the local system) is either strict or liberal. 
Strict import policy: in our proposal, all the local systems adopt the same import 
access policy. At any time the following security axiom has to be valid: “for a 
given local user, the access to a global data must be equivalent to the access to a 
local data belonging to the user's local profile. A user profile is defined as a set of 
access rights to local objects. In our proposal the set of access rights is stored in 
the (one or more) Roles which reference the proper User at the descriptive layer 
of the framework. 

Strict or liberal export policy: the export policy in a local system defines the way 
local data can be "son" from the federated level. In the case of a liberal export 
policy, the access requests from the federated level are automatically performed 
on local Security Objects. Access equivalencies defined among the DDO 
referenced in the User and the actual local data are used to verify the user's rights 
on the concerned data. Access rules on the Security Objects related to the 
federated user predominate access rules defined at the local level. 

In the case of a strict export policy, a first mapping allows to detect which Role of the 
local system corresponds to Roles related to the global user. Then a second mapping 
is performed to verify the correspondence of access rights related to the Security 
Objects referenced in the Role. 



7 Conclusion 

We described a global proposal providing a secured framework for information 
systems cooperation. It is obvious that security in federated systems is a complex 
issue when local autonomy is respected, due to the dynamic evolution of local 
systems and the complex mappings required to yield various security models and 
policy interoperability. Our proposal tries to give an appropriate answer to such 
problems by combining a dynamic description of local information sources and a 
global security policy derived from local ones. However many questions are still in 
research phase. In particular further work is required to evaluate the impact of nested 
transactions during the query resolution process to the provided security framework. 
A validation phase for our description model is also necessary to be sure it can 
describe almost any local security policy at the local level. 

A prototype is under current development in C++ language to implement the 
proposed security level on top of an existing cooperative information system (with 
IBM Universal DB2 7 and MS SQL Server 2000 DBMS) in a multi-agent 
environment. All the objects are implemented with C++ persistent classes using the 
POET^M Object Database Management System [24]. 
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Abstract. Based on studying of process behaviors classification, a practical 
intrusion detection system prototype is discussed. As one of the key elements, 
the system behaviors classifier (Naive Bayesian Classifier) can identify 
malicious system behaviors effectively by classifying the sequences of system 
calls as normal or abnormal. However, an extended intrusion detection 
mechanism by monitoring multiple processes to detect intrusions that can 
modify the behaviors of system programs (such as: Trojan Horses, Buffer 
overflow attacks, and viruses.) is proposed. 



1 Introduction 

Intrusion detection systems rely on a variety of observable data to distinguish between 
legitimate and illegitimate activities. In 1996, Forrest and others introduced a simple 
intrusion detection method based on monitoring the system calls that used by active, 
privileged process ''I Their work shows that a program’s normal behavior can be 
characterized by local patterns in its traces. The process trace is an ordered list of 
system calls used by process from the beginning of its execution. Deviations from 
patterns can identify security violations of executing process [1-3]. From then on, 
many research groups use the sequence of system calls into the kernel of operating 
system as the observable sample to distinguish normal and intrusive behavior. Several 
methods have been used to generate more accurate and more compact models of the 
system-call data. Several papers about these experiments on alternative models 
applied to system calls are available [4-6]. In general, there is more than one security- 
critical program (system program or application program) executing in system, and an 
executing program may consist of one or more processes. As a program is a passive 
entity, to monitor a program means to monitor the executions of the program. So how 
to monitor multi-processes executing in parallel is one of the most important 
problems to design the intrusion detection system based on system call sequences. 
However, existing studies only discuss the condition of one executing process. 

In this paper, we give out an abnormal detector that based on Naive Bayesian 
Classifier to identify a process trail is normal or abnormal at first. Then discuss how 
to use this abnormal detector to construct a process-monitor that can monitor multi- 
processes that running in parallel. 
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2 System Behaviors Classifier 

The goal of the intrusion detection system is to distinguish the illegitimate behavior 
(non-self) from the legitimate behavior (self)[7]. Therefore an intrusion detection 
system can be defined as a classification system to analyze system behaviors or 
security-events and identify the malicious behaviors from all the system behaviors 
[6]. In this section, a classification model and a classifier that can be used to monitor 
system program executing is discussed at first. 



The universe set 
of system behavior 
patterns U 



Fig. 1. The definition of the Intrusion Detection System Classification Model 
based on the sets of system behavior patterns 




2.1 Classification Model 

This model can be defined over the universe set of system behavior patterns {U ), 
where (7 is a finite set of finite system behavior patterns. U can be partitioned into 
two sets, S and N , called self and non-self respectively, such that S\J N = U and 
S = (j) . Self-patterns represent acceptable or legitimate system behaviors (or 
security-events), and non-self patterns represent unacceptable or illegitimate system 
behaviors (or security-events). In the figure l,each point in the plane represents a 
pattern. If the point lies within the shaded area, it is self. Otherwise it is non-self. A 
detection system attempts to encode the boundary between the two sets by classifying 
patterns as either normal or anomalous [7]. 

As the analysis above, an intrusion detection system {D) can be defined 
as: D = iyf,P\ where is a binary classification function, and Pis a set of 
patterns drawn from U representing the knowledge of the detection system, P (Z U . 
The classification function f will map the pattern set P and a given pattern 
p e (7 to a binary classification of normal or anomalous, that is, , f :U* xU 
{normal, anomalous] , where [/ * is the power set of U . Apparently, a given 
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system behavior pattern p ^ U k normal if it is in the detection system patterns set 



P , and is anomalous otherwise, that is: 



fip.p) 



{ normal 

anomalous 



if p^P 
otherwise 



In practice, we might not acquire enough knowledge to describe the normal 
behavior of system accurately. This will lead the classification function give out error 
result. If the detection system fails to classify self patterns as normal, false positive 
errors are generated. And if non-self patterns are not classified as anomalous, false 
negatives are generated. 



2.2 Naive Bayesian Classifier 

Along with decision trees, neural networks, and nearest nbr, the Naive Bayesian 
Classifier provides one of the most practical learning methods based on Bayes 
Theorem. If the training set is moderate or large enough, or the attributes that describe 
instances can give conditionally independent classification, the Naive Bayesian 
Classifier can be used successfully. 

2.2.1. Naive Bayesian Classifier 

Assume target function f X , where each instance X e X described by 
attributes (a ^ , ^2 ? ' ' ' ^„ ) ■ ^ is the instance class set, each instance class 

V. e V{i = \-- -X) ,Most probable value of f{pc) is the class (in most probable) of 
instance X : 

/(^) = ^MAP = arg max p{vj \a^,a^,--- ,a^) 

Vj-eP 

p(a,,a2,--- ,ajvjp(vj) 

= arg max u r . (2- 1 ) 

VjEP 5 ^ 2 ’ * * ’ ) 

= arg max p(a^ ,a^,--- ,a^ |v^ )p(v^. ) 

VjEV 

Naive Bayes assumption: 

P{a^ , ^2 , • • • , |v^. ) =J^ p[a, \vj ). (2-2) 

The Naive Bayesian Classifier can be defined as bellow: 

= arg max p(v . )fj p[a, |v . ). 



( 2 - 3 ) 
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2.2.2 Naive Bayes Classifier Learning Algorithm 

NBCLA(A){ 

For (each target value e V ){ 

p{vj ) <— estimate p{y ^ ) ; 

For each attribute value attr^^ of each attribute Attr^ 

P- [attr^. \vj ) <— estimate P. {attr,^ \vj ) ; 
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Where: 

• n '\s number of training examples for which V = Vj . 

• is number of examples for which V = V and Attr. = a . 

• p \s prior estimate for P. {ci\v j ) . 

• WJ is weight given to prior(i.e., number of “virtual” examples). 



2.3 System Behaviors Classification 

Forrest organized system call traces into sequence windows to provide context. She 
also showed that a database of known good sequence windows can be developed from 
a reasonably sized set of non-intrusive sendmail executions and the intrusive behavior 
can be determined by finding the percentage of system call sequences that do not 
match any of the known good sequences [2]. 

As an intrusion detection system is used to identify the malicious behaviors from 
a lot of system behavior [6], we can use classifier to distinguish between legitimate 
and illegitimate activities. First, we collect enough traces of system calls executed by 
a program (for example, Ipr, include all executing-conditions: normal and abnormal). 
Then organize the system call trace data into short sequence of length k (in our 
experiments [6], it assigned 7). For training purpose, each short sequence is assigned a 
classified label of “normal” (if it can be obtained from proper operations of the 
program monitored) or “abnormal”. An example of the system call short sequence and 
its label is shown in Table 1. In the table, the statistic of each system call sequence’s 
frequency in the train data is also provided. These statistics can be used by the Naive 
Bayesian Classifier’s learning algorithm. 

Table 1. System call short sequence classification and statistics 



System Call Sequences (Len=7) 


Class Label 


Frequency in the train data sets 


5 3 67 67 5 139 67 


normal 


2025 


67 6 5 3 67 67 6 


normal 


3995 


106 105 105 107 106 105 105 


normal 


19865 








107 10 10 10 10 6 4 


abnormal 


999 


4 4 4 4 33 51 59 


abnormal 


999 


4 33 38 5 3 6 54 


abnormal 


1 









Using Naive Bayes Classifier to identify the program’s behavior, it does not 

need to estimate the posteriors p(vy|x) correctly. Consequently, the program 

behaviors classification can be made much easier. And we can use the forecast ability 
of classifier to identify some unknown abnormal program behaviors also. All these 
make us believe that our classification technique based on Naive Bayes Classifier can 
improve Forrest’s technique, for it does not depend on a threshold percentage of 
abnormal sequences. 
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Process executing trail 



Note: The vector (x^,x^ ... ,x) denotes the short sequences 
of system calls in the process’s executing trail. 



Fig. 2. Program Behaviors Identifier based on the classifier of short sequences of 
system calls 



3 Intrusion Detection System Prototype Based on System 
Behaviors Classifier 

Based on the above discussion, we now do more work on how to apply the program 
behavior classifier to monitor the running of security-critical programs. 



3.1 Program Behaviors Identifier 

In Fig.2, a program behaviors identifier framework is given. It is based on the idea 
that intrusions can be detected by observing the behavior of individual-program. 
Anomalous behaviors of a program indicate that the program is subverting for 
intrusive purpose. Obviously, the program behaviors classifier (Naive Bayesian 
Classifier) is the key element of the program behaviors identifier. However, it can 
only classify a single system call sequence (system behavior) as anomalous or normal, 
not classify the process (execution of program) as anomalous or normal. Furthermore, 
some occasional anomalous behaviors, which are expected during normal system 
operation, may not indicate one program is being misused. So a decision module is 
introduced into our program behavior identifier. It is also important to capture the 
temporal locality of anomalous events in order to recognize intrusive behavior. As a 
result, we desire an algorithm that provides some memory of recent event. The leaky 
bucket algorithm fits this purpose well. It keeps a memory of recent events by 
incrementing a counter of the classifier’s output y, while slowly leaking its value. 
Thus, as the process many anomalies, the leaky bucket algorithm [6] will quickly 
accumulate a large value in its counter. Similarly, as the classifier give a normal 
output, the bucket will “leak” away its anomaly counter back to zero. 
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During program execution, the program behavior classifier outputs the system 
call sequence’s classification and puts the result into a leaky bucket. During each 
time-step, the level of the bucket is decreased by a fixed amount. If the level in the 
bucket rises above some threshold at any point during execution of the program, the 
program is flagged as anomalous. 

The advantage of using a leaky bucket algorithm is that it allows occasional 
anomalous behavior, which is to be 
expected during normal system 
operation, but it is quite sensitive to 
large numbers of temporally co-located 
anomalies, which would be expected if a 
program were really being misused. In 
conclusion, the leaky bucket emphasizes 
anomalies that are closely temporally co- 
located and diminishes the values of 
those that are sparsely located. So the 
temporal locality of anomalous 
sequences characteristic of programs 
under attack can be used to distinguish 
intrusive behavior from simple 
anomalous noise, thus, to avoid a large 
number of false positives. 

Our experiment’s result (Fig. 3) 
shows that the Program Behaviors 

Identifier (based on Naive Bayes Classifier) can be used to identify the abnormal 
executing of monitor-program with high performance (high detect rate with very low 
false positive) [6]. 
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Fig. 3. The performance curve of Program 
Behaviors Identifier based on Naive Bayes 
Classifier 



3.2 Process Behavior Identifier 

The Program Behaviors Identifier only identify one specifically program’s execution 
is being misused or not. Apparently, it is not enough. As there usually multiple 
programs execute concurrently in a real system, we must monitor all of them and 
identify which program’s executing is the monitor process. In order to solve this 
problem, a process behavior identifier is presented (Fig.4). 

In the process behavior identifier, there are some (at least one) program 
behaviors identifiers, each one corresponding a specifically program’s execution*. 
The input data, short sequence of system calls of one process outputted by the 
preprocess sub-system, will be processed by each program behaviors identifier in 
parallel. If one program behaviors identifier’s output y. is “abnormal”, the input data 
is not the executing trace of program represented by program behaviors identifier;. So 
if all of the program behaviors identifiers output “abnormal”, the process behavior 
identifier will output “abnormal”. According to the input data, if the process is not in 
the set of executing traces of monitored programs, it means an intrusion is occurring. 
As each program can be distinguished from others [1] obviously, when process 



* Each program behaviors identifier must be trained by its corresponding program’s execution 
traces. 
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behavior identifier output “normal”, only one program behaviors identifier of the 
process behavior identifier can output “normal”. 

So the process behavior identifier given here can classify one process as 
anomalous or normal and identify which program’s executing is the monitor process. 




The vector ... ,x.) denotes the short sequences of system 

calls in the i process’s executing trail 

Fig. 4. A Practical Intrusion Detection System Prototype based on the process 
behaviors classification 



3.3 A Practical Intrusion Detection System Prototype 

There are always many programs executing concurrently in a real system, and the 
audit system should record the traces of all monitoring programs^. However, the 



^ The audit system must be configured only to record the executing traces of programs defined 
by those program-behavior identifiers in process behavior identifier. 
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process behavior identifier defined above can only monitor one process. Our intention 
is to classify entire sessions (which are usually composed of multiple programs’ 
executions) as anomalous or normal. As a result, one Practical Intrusion Detection 
System Prototype based on the process behavior classification is presented (Fig.4). 

According to the prototype defined, the output data of preprocess system 
consists of time series to be analyzed. It is expected to be a series of pairs of 
positive integers, one pair per line, where the first integer identifies the data 
stream and the second is the element of the data stream. In our work, the stream 
identifier is the process identification number (PID), and the element of the data 
stream is system call numbers. So we can identify each process trace from the 
audit trail (processes executing trail) by the process identification number. When 
preprocess system deal with the audit trail, if it encounter a new PID different 
from those processes that are being monitored, it will fork a new process behavior 
identifier to monitor the process with this PID. If the monitored process executes 
to end (end of the data stream or encounter a process exit identification), the 
corresponding process behavior identifier will be killed. Then the IDS based on 
this prototype can monitor multi-processes in parallel. 

The Alarm or Respond Mechanism of the Intrusion Detection System will 
collect the results of all the process behavior identifiers, make a high-level decision, 
and give alarm and respond policy. If a session contains a single anomalous execution 
of a program, it is flagged as anomalous. 



4 Conclusion 

In this paper, the classification model of system behaviors for intmsion detection is 
discussed at first. Then, one practical intrusion detection system prototype based on 
the classification of process behaviors is presented. Using the system behaviors 
classifier (Naive Bayesian Classifier) as the key element, the prototype can identify 
the malicious system behaviors by classifying the system calls sequences as normal or 
abnormal. Apparently, the Naive Bayes Classifier’s forecast capability can improve 
the ability of IDS to detect the variations of known attacks. As result, an extended 
intmsion detection mechanism by monitoring multiple processes to detect intrusions 
that can modify the behaviors of system programs (such as: Trojan Horses, Buffer 
overflow attacks, and viruses.) is proposed. 
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Abstract. Based on the development of mobile communication, the future 
mobile communication systems are expected to provide higher quality of 
multimedia services for users than today’s systems. Therefore, many technical 
factors are needed in this systems. Especially the secrecy and the safety would 
be obtained through the introduction of the security for mobile communication. 
In this paper, we presents a digital nominative proxy signature scheme that 
processes a user’s digital signature and encr5qition using the proxy-agent who 
has more computational power than origins in mobile communication. 



1 Introduction 

With the rapid expansion of computer applications and digital communication 
networks, information community realms are common tendency and a new culture’s 
paradigm that "Information society" has been came over. In this environment, each 
person’s digital information has been exchanged using digital communication 
networks profitably and swiftly. And also various applications connected with 
computer and network have been studied. Among them, wireless has become a widely 
discussed researching topic. 

With the inclusion of mobile data and voice services in the future, users will be 
provided with higher quality of personal multimedia mobile communication services 
than today’s systems. [1]~[5] 

But, in wireless communication, signal transmission is done through radio channels 
on air. So it is vulnerable to attacks from wiretappers or intruders. Attackers usually 
carry out the attempt to gain access to personal information and the use of the systems 
without paying. 

Moreover, security features that user authentication, non-repudiation and so on are 
negotiated importantly in mobile communication. Therefore to get the confidentiality, 
safety and user authentication from illegal actors except true users, nominative 
signature scheme is proposed. [7] This scheme achieve these objectives : only a 
verifier can confirm the signer’s signature and if necessary, only verifier can prove to 
the third party that the signature is issued to him(her) and is valid. However this is not 
efficient, because it needs more computational power such that modular exponential 
in personal mobile devices that have less capability than general PC to compute them. 
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So in this paper, we present the required security properties for supporting 
authentication and safety to entities in mobile communication. Based on those 
proposed properties, we consider conventional digital signature schemes. [7] [8] 
[9] [10] Also to provide safety and process efficient digital signature on personal 
mobile device, we propose the new digital signature paradigm that nominative proxy 
signature in public key cryptography. The proposed scheme provides the safety to 
proxy agent from the illegal actors on mobile communication additionally. 

2 Security Features 

In this section, we descript the required properties and characteristics to take the 
trustability and efficiency on a application based on mobile communications as 
folio w.[ll] 

• User confidentiality : In case that the origin sending a message to receiver, the 
message is sent to receiver safely and correctly to make only him confirmed the 
origin’s identity from a attacker’s wiretapping. So user confidentiality is need on 
open network, some methods can be applied it. 

• Authentication : It should be possible for the receiver of a message to ascertain 
origin; an intruder should not be able to masquerade as someone else and to verify 
that it has not been modified in transit; an intruder should not be able to substitute 
a false message for a legitimate one. 

• Non-repudiation : A sender should not be able to falsely deny later that he sent a 
message. 

• Efficiency : On mobile communication, the computational cost and time is smaller 
than that required by the general PC to reduce the charge of personal mobile 
device. 

• Safety : On mobile communication, however true-entity he is, he must can not 
forgery or change the message excepted a origin. 



3 Proposing the Nominative Proxy Signature 

To satisfy the security features in mobile communication, we propose the new 
solution that nominative proxy signature. In the proposed scheme, we introduce a 
proxy agent to get the efficiency on mobile communication. Also to satisfy the 
security features that confidentiality and authentication in section 2, a proxy signature 
message is encrypted with a verifier’s public key and sent by a proxy agent. [7] [8] [9] 
Additionally because proxy agent generates the signature information with a agent’s 
secret information and origin’s signature request information, this scheme provides the 
non-repudiation and safety. 

3.1 System Parameter 



For the convenience of describing our work, we first define the following set of 
symbols: 
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• p, q : A large prime number p > 512 bit, q \ p-1 

• g- : g is a generator for Zp 

• X^, Xb, Xq : Signer A, Verifier B and Proxy agent’s secret information 

■ Yji =g^ mod p : A’s common information 

■ Yb mod /? : B’s common information 

■ Yq =g'^^ mod p : Proxy agents common information 

■ Si : Signers one-time secret information for a signature(; ^rZ) 

■ Tj, M : i’th Time-stamp and Message 

■ HQ: Secure 128bit one-way hash function 

3.2 Implementing Nominative Proxy Signature 

(1) Proxy generation : A origin A generates a signature request information as 
follows; 

Oi ^ rZ’ (i € rZ) 
di ^H(MIIT^ 

I = g“‘ mod p 

Si = (Xjt ■ di+Qi ■ 1) mod p (1) 

A holds in check the generating the illegal signature by proxy agent, when 5 , is 
generated by himself using the one time random number a, and J,. 

(2) Proxy delivery : A origin A gives ( 5 ,, I, M, to a proxy agent, G, in a secure 
manner. 

(3) Proxy verification : G checks 

f ■ t) mod p (2) 

If the computed value is correct, the origin and received message are consider with 
trust. 

(4) Nominative proxy signing by the proxy agent : G chooses a random number r and 
R. And then generates K to prevent a origin’s illegal acts. 

r, R ^ R^p 

K =g^''^ mod p (3) 

G generates D, Z and e, and the he process a nominative proxy signature Sa(Z). 

D = Yb^ mod p 
Z= (YbH Kj I DU M) 
e = h(Z) 

Sa(Z) = (Xq -r - R-Si-e) mod q (4) 

When D and e is generated by G, the G’s public key is used to confirm the signature 
only by a verifier. In this phase, the confidentiality is supported between G and a 
verifier. 

(5) Nominative proxy signature delivery : Proxy agent G sends (M//7)/////Ai//Z)// 
RllSa(Z)) to a verifier. 

(6) Verification of the nominative proxy signature : A verifier B generates e and b to 
check the received signature. 

h(YBllKll DU M) ^e (5) 

b = ■ t) mod p (6) 
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B verifies the nominative proxy signature with the generated information e, b and so 



on. 

(gS‘'(Z)i,R-‘^KfB^odp =D 
The verifying signature is processed in this way; 

(gS.(Z)^^R-eK)XB^odp ^ (Y/(^H^^>-ff^g’^-’-^^f^modp 

= (g (g “ g ) g ) mod p 

— XG-R si -e -l+XA ■H(MjjTi)^R -e ^R-r XGjXB^^^ ^ 

/ r XG-R si 'e si R 'e R-r XG \XB i 

= (g g g ) modp 

= (g^f^mod p 
= Yj^mod p 
= D 



( 7 ) 



3.3 Analysing the Proposed Scheme 

When the above all schemes are applied to mobile communication, the nominative 
proxy signature scheme offers the attractive properties. 

• Satisfying user confidentiality : The proposed scheme has the nominative 
signature’s user confidentiality. So the proposed nominative proxy signature protects 
the origin’s identity from a illegal third part. 

• Providing authentication : The proposed scheme has some basic properties that 
supported from general digital signatures. Specially to get the authentication on 
mobile e-commerce, in this scheme, a proxy agent process the nominative proxy 
signature. 

•Non-repudiation : During the generating signature, a proxy agent input the his secret 
information for signature. Therefore this scheme supports the non-repudiation of the 
fact that origin requests nominative proxy signature to a proxy agent. 

•Efficiency : When a origin will generate the signature, he use a proxy agent who has 
more computational power than him. So even if a origin has personal mobile device, 
this scheme would support the efficiency. 

• Providing safety : When a signature request information is sent to proxy agent, a 
origin gives one time secret signature information. Also when the signature is 
generated by proxy agent, he input his secret information to the signature. Because a 
origin and proxy agent dose not can generate a illegal signature, this scheme provides 
the safety. 

Table 1 shows the comparisons of the several schemes mentioned, based on a security 
features. 

Table 1. Comparison of each scheme 



" . feature 

scheme ^ 


User 

confidentiality 


Authentication 


Non- 

repudiation 


RtTiciency 


Safety 


Nominative signature 


0 


0 


0 


X 


X 


Proxy signature 


X 


0 


X 


0 


X 


C. Gamage scheme 


0 


0 


X 


0 


X 


Proposed scheme 


0 


0 


0 


0 


0 
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4 Conclusion 

With the rapid expansion of computer and digital networks, in a new culture’s 
paradigm that Information society, the more various applications including e- 
commerce will have been supported. In this environment, to get the confidentiality 
and authentication on mobile communication, a digital signature is one of the most 
important research topics of modem cryptography. 

The nominative signature satisfies the confidentiality using the secure channel 
between a signer and verifier on mobile communication. But, this scheme doesn’t 
support the efficient, because the exponential modulo computation is executed in a 
signer’s personal mobile device during on signing process. In case the proxy 
signature, the efficiency is provided by a proxy agent, but the confidentiality and user 
non-repudiation could not be supported. C. Carnage’s proxy signcryption scheme 
satisfies the confidentiality, authentication and efficiency, but the non-repudiation and 
safety is not supported, because a origin and proxy agent can make a illegal signature. 

So in this paper, we present a new nominative proxy signature scheme to solve the 
conventional schemes. The proposed scheme satisfies all required security properties 
for supporting authentication, safety, efficiency, confidentiality and non-repudiation in 
mobile communication. 
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Abstract. Trying to display all the graphic objects representing the dynamics of 
the models being simulated causes the distraction of focus. Especially, keeping 
the focus is needed when the model is large and complex like a security simula- 
tion model, which includes the dynamics of attacks that become more sophisti- 
cated as the network is wide spread. This paper presents a simulation modeling 
environment for animation in which the users can have better focus on the dy- 
namics of security systems by selectively choosing the hierarchical level and 
components with in a level of the hierarchically structured model. 



1 Introduction 

Recently, many organizations use Internet TCP/IP protocols to build intranets to share 
and disseminate internal information. A large scale (and complex) attack on the net- 
works can cripple important world- wide Internet operations [1]. The cooperative at- 
tacks are not convinced by each security system, but judged by relations among them. 

In the field of intrusion detection, early systems were designed to detect attacks 
upon a single host [1,2,3]. Although they could collect reports on a single local area 
network, these systems did not aggregate information on a wider scale [1]. As intru- 
sions become more sophisticated, it becomes beyond the scope of one intrusion detec- 
tion system to deal with them. The need arises for systems to cooperate with one an- 
other, to manage diverse attacks across networks and time [4]. In practice, later secu- 
rity systems consider the role of networks, especially for the large size networks. For 
example, Cooperating Security Managers (CSMs) [5] are designed to be used in large 
and heavily interconnected network. The AAFID (Autonomous Agents For Intrusion 
Detection) [6] is composed with agents, transceivers, monitor, and user interface to 
detect attacks on large network. The GrlDS (Graph-based IDS) [1] project at UC 
Davis analyzes network activity by using a hierarchical aggregation scheme in order to 
scale to large network. 

Security simulation evaluates the performance (the efficiency and vulnerability) of 
security systems in a network and predicts dynamics of the security systems, when 
security policy is changed. The security simulation is needed to consider the sophisti- 
cated attacks. When the target network is large and complex, however, the users have 
difficulty in analyzing dynamics and results of the security models. When a user desire 
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to observe the dynamics of the security models on a large scale network (topology), 
trying to display all the graphic objects representing the dynamics of the models being 
simulated causes the distraction of focus. The redundant graphic objects also increase 
the computer computation overhead. 

This paper presents a simulation modeling environment for animation in which the 
users can have better focus on the dynamics of security systems by selectively choos- 
ing the hierarchical level and components with in a level of the hierarchically struc- 
tured model. Our approach for the hierarchical modeling environment is based on the 
DEVS (Discrete EVent system Specification) formalism [7], which is theoretically 
well grounded means of expressing modular and hierarchical models. 

2 DEVS Formalism 

DEVS(Discrete EVent system Specification) formalism is a modeling methodology to 
simulate the discrete event system on continuous time. The DEVS modeling approach 
supports hierarchical, modular construction of both DEVS models and the counterpart 
systems they represent. The hierarchical animation environment is designed based on 
the hierarchical and modular property of DEVS. A DEVS model can be either an 
atomic model(M) or a coupled model(DN) [7] as follows. 

M ^ < X, S, Y, 5int, §ext, ta > 

DN = <D, {Mi}, {Ii},{Zi,j}, select > 

In Fig. 1, the left half part of the diagram shows the model structure and the abstract 
simulator. The behavior is specified in the model structure and the abstract simulator 
generates the behavior specified in the model. 

3 Hierarchical Simulation Animation Environment 

The hierarchical animation environment represents an environment which allows users 
to observe desired levels and components within the levels of hierarchically structured 
models. The core component of the hierarchical animation environment is an anima- 
tion execution module called an abstract hierarchical animator [8]. The hierarchical 
animation environment is composed of four components, the model that specifies 
behavior of a target system, the simulator that generates the behavior specified in the 
model, schedules simulation events, the animator that schedules animations which 
reflects the simulation results, and the animation that animates images on the screen. 

In the hierarchical animation each model is paired up with an animator to control 
the animation object assigned to the model, whereas in the general animation envi- 
ronment an animator controls all the animation objects of the models. Therefore, the 
structure of the animator is identical to that of the simulator in the hierarchical anima- 
tion. An abstract animator (or hierarchical animator) consists of root-co-animator, co- 
animator and animator like the abstract simulator consists of root-coordinator, coordi- 
nator and simulator. There are three reasons for the structuring of the animator in 
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hierarchical fashion. First, it ensures ease in the synchronization between simulation 
and animation, second, it ensures ease in the hierarchical specification of models with 
the animation information, third, it provides increased reusability. 



— ^ Interaction of modules 
^ Interaction in a module 
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Fig. 1. Model structure, abstract simulator and abstract animator 

The animators keep the variables (t^^, t^,^, L, AL, done,^-list, to-be-done,^-list) for 
the synchronization between simulation and animation, and these variables are up- 
dated and delivered by control messages with several types (Imminent, done, 
done^, pause,^, ask-donej. The abbreviations of simulators and animators are R (root- 
co-ordinator), C (co-ordinator), S (simulator), RA (root-co-Animator), CA (Co- 
Animator), A (animator). For example a CA’s the latest time of an animation 
completion, is updated when it receives the done,^-message, which reports the comple- 
tion of an animation. 

There are four phases of operations in a simulation cycle. Fig. 1 shows all the con- 
trol messages passed between the abstract simulator and the abstract animator for the 
hierarchically structured model. The number in the head of the message means the 
phase. In 1“ phase the *-message indicates that a specified event is starting. In 2°“* 
phase the done-message reports the event scheduling is done. In 3"* phase the *^- 
message indicates that an animation is starting. In d"* phase the done^-message reports 
the animation is done. Then, the operations for the next event are started again in the 
1“ phase. 

4 Implementation & Testing 

We have implemented a sample network with security systems in Fig. 2. Components 
in each level are: Level l(Network), Level 2(SubnetO, subnet64, Subnetl28, sub- 
netl92). Level 3(DNS_1, DNS_Server, DNS_1, DNS_2, ...), Level 4(A1, A2, ...). 

Fig. 3 shows the simulation animation of the sample system on each observation level. 
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Fig. 2. Architecture and model structure of the sample security systems 



[ Level 1 ] 






[ Level 2 ] 



[ Level 3 ] 




Fig. 3. Hierarchical simulation in each level 

The accuracy of animation for displaying simulation results can be evaluated by 
how to utilize the event scheduling times of models. Since the time elapsing of dis- 
playing the graphic images depends on the computing power of the subsystem, the 
ratio of the animation time to the simulation time is not guaranteed to be one. Hence, 
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the proper animation algorithm is important for the animation accuracy. The algorithm 
of the hierarchical animator guarantees the animation error to be restricted within one 
event to the next, i.e., the error in graphics is not accumulated out of this interval. 



5 Conclusion 

Despite the various efforts to perform the valid simulation, there are many difficulties 
in verifying the model code, validating the model and understanding the simulation. 
Animation is one of the popular output methods to reduce the difficulties. In this pa- 
per, we have designed and implemented a hierarchical animation environment for 
simulation, and showed its usefulness. The developers and the security specialists can 
selectively observe the level and components of the security systems of a large net- 
work in the hierarchical animation. Even in the security models that include the com- 
plex dynamics for cooperated attacks, users can intuitively understand the simulation 
results and it helps validate and verify the simulation model. Users can also reuse the 
models and deploy the animation effectively on the limited window. 
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Abstract. Several new group signature schemes have been proposed 
in recent years. In addition, several applications for group signatures 
(including electronic cash) have been suggested. 

A new cash scheme based on a recent group signature by Ateniese, Ca- 
menisch, Joye and Tsudik is presented. Its construction uses a general 
framework suitable for a number of group signature schemes. We also 
identify the challenges faced by such schemes. 



1 Introduction 

Unlike ordinary signatures, group signatures allow a group member to create 
anonymous (and unlinkable) signatures. Upon verifying a signature, the verifier 
does not learn the identity of the group member that created the signature. 
However, should the need arise, a group signature can be ‘opened’ by a trusted 
party and the identity of the member who created the signature will be revealed. 

Several proposals [3,6,4] have introduced group signatures into electronic cash 
schemes. The anonymity and unlinkability afforded by group signatures suggests 
that they may have a role to play in anonymous electronic cash scheme design. 
The existing proposals have utilised group signatures in different roles, where 
the group has been formed from the banks that issue the electronic coins [3], the 
customers that spend the electronic coins [3,6] and indeed the coins themselves 

[4]. 

A general structure for using group signatures to form a ‘group of customers’ 
has been developed but, due to the limited amount of space available, this frame- 
work will not be described here. Instead, a new cash scheme based on a recently 
proposed group signature scheme is described in order to illustrate the construc- 
tion. The main benefits of the new cash scheme compared to [6] relate to the 
underlying group signature scheme’s improved efficiency and provable security. 

* This research is part of an ARC SPIRT project undertaken jointly by Queensland 
University of Technology and Telstra 
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Main Contribution: We focus on the ‘group of customers’ model for apply- 
ing group signatures to electronic cash scheme design and illustrate a general 
construction for these schemes. A new scheme is presented and the properties 
of the scheme are analysed with a view to identifying key unresolved issues. In 
particular, withdrawal protocol diversion and additional-overspending framing 
are discussed. 

2 A New Offline Fair Cash Scheme 

This section presents a new offline fair cash scheme based on the group signa- 
ture scheme proposed by Ateniese, Camenisch, Joye and Tsudik [1]. This group 
signature scheme is provably coalition-resistant and quite efficient. 



Setup: Let e > 1, /c, and £p be security parameters. Let Ai, A 2 , 71 , and 72 denote 
lengths satisfying Ai > e(A 2 -I- fc) -I- 2, A 2 > Mp, 71 > 6(72 -I- fc) -I- 2, 72 > Ai -I- 2. 
Define the integral ranges A =]2^^ — 2^'^ , 2^^ + 2^^ [ and F =]2^^ — 2'*'^ , 2'^^ + 2'*'^ [. 
Finally, let "H be a collision-resistant hash function T~L : {0, 1}* — >■ {0, 1}*. (The 
parameter e controls the tightness of the statistical zero-knowledgeness and the 
parameter ^p sets the size of the modulus to use.) 

The Group Manager: The initial phase involves the group manager (GM) setting 
the group public and his secret keys, y and 5, as follows: 

— Select random secret ^p-bit primes p' , q' such that p = 2p' + 1 and q = 2g' -|- 1 
are prime. Set the modulus n = pq. 

— Choose random elements a, Gq, g, h Q„ where Qn is the group of quadratic 
residues in Z* and is of order p'q'. 

— The group public key is: y = (n, a, ao,g, h). 

— The corresponding secret key (known only to GM) is: S = {p' ,q'). 

The Revocation Manager: The revocation manager (RM) chooses a random 
secret element x Gr '^p’q' publishes y = g^ mod n. 

The Bank: The bank selects an appropriate set of parameters to support the 
chosen blind signature scheme for issuing authorities. 

The Gustomer: Each customer Ci who wishes to join the customer group inter- 
acts with the group manager in order to acquire: 

— A private key Xi known only to the user such that Xi G A. The associated 
public key is C 2 = a“* mod n with C 2 G Qn- 

— A membership certificate [Ai,ei] where is a random prime chosen by 
GM such that Cj Gr F and Ai has been computed by the GM as 
Ai := (( 7200 )^/®* mod n. 

— GM creates a new entry in the membership table for [Ai, Cj]. 




Fair Electronic Cash Based on a Group Signature Scheme 



463 



Withdrawal: The withdrawal process involves the customer and bank com- 
pleting the following tasks. 

— The customer completes the commitment phase of the signing process. 

• Generate a random value w { 0 , 

• Compute: Ti = Aiy'" mod n; T2 = mod n; T3 = mod n. 

• Randomly choose: 

ri Gjj ±{0, !}®(T'=+'=) , T2 Gk±{0,1}®(^^+'=), 

T3 Gr ±{0, l}d7i-tC+fc+i) , r4 Gr ±{0, l}d2G+fc). 

• Compute: 

di = mod n; d,2 = T2^/d''^ mod n; 

ds = mod n; d^ = mod n. 

The result is the commitment values {Ti, T2, T^, di, d2, d^, ^4}. 

— The customer obtains an authority (Ti, T2, T3, di, ^27 <^3, ^4) from the 

bank via a blind signature protocol. The message which is signed is a pre- 
determined set of values chosen from the set {Ti, T2, T3, di, d2, d^, d4}. For 
instance, the authority could be a signature on the message (Ti || T2). In 
this way, the customer’s identity is bound to the authority because (Ti,T2) 
is a modified ElGamal encryption of the customer’s membership certificate 
and uniquely identifies the customer. 



Payment: During the payment process, the payment transcript msg is signed 
using the group member’s signing keys. 

— The customer retrieves the previously calculated values T\, T2, T3, di, d2, 
dz and d4 along with the previously obtained authority Auth. 

— The customer uses the values Ti, T2, T3, di, d2, d3, d4 and the message msg 
to complete the challenge and response phases of the signing process. 

• Challenge Phase: Calculate 

c = 'H{g \\ h \\ y \\ ao \\ a || Ti || T2 || T3 || di || d2 || ds || di || msg) 

• Response Phase: Compute 

Si = n - c(ej - 2T'i) , s 2 = T2- c(xi - 2^1) , 

S3 = rs — c 6 iW , S4 = T4 — cw. (all in Z ) 

The resulting group signature is (c, Si, S2, S3, S4, Ti, T2, T3). 

— The customer sends the merchant the group signature signature on the pay- 
ment transcript msg plus the corresponding authority Auth. 

— The merchant verifies the group signature (c, si, S2, S3, S4, Ti, T2, T3) of the 
payment transcript msg as follows: 

1 . Compute: 

d'l = mod n, 

d'2 = mod n, 

dg = T2®5'®^ mod n, 

d'i = h^* mod n. 

c' = n{g II d II 2/ II Oo II a II Ti || T2 || T3 || d'l || d'2 || d'3 || d'4 || msg) 
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2. Accept the group signature if and only if c = c' and 

51 G ±{0, + i 

52 G ±{0, l}dM+fe)+i 

5 3 G ±{0, 

5 4 G ±{0, i}d2A+fc)+i 

— The merchant confirms that the attached authority Auth is correct with 
respect to the pre-determined set of values from {Ti, T 2 , Ts, d'l, dg, d^}. 



Deposit: The deposit process proceeds as follows: 

— The merchant sends to the bank the group signature on the payment tran- 
script msg plus the authority i.e. [msg, (c, si, S2, S3, S4, T\,T 2 , Tg), Auth]. 

— The bank verifies the group signature and the authority using the same 
operations as the merchant. If this is successful, the bank checks for double- 
spending by searching its list of previously used authorities. 

If the authority is not found, the authority is added to the list and the 
payment is accepted as valid. If the authority has been previously used, the 
bank sends both transcripts to the revocation manager RM and requests 
that the identity of the customer be revoked. 



Identity Revocation: To open a signature and reveal the identity of the actual 
customer who created a given signature, RM executes the following procedure: 

1. Check the signature’s validity as per the merchant’s verification procedure. 

2. Recover Ai (and thus the identity of Ci) as Ai = Ti/T 2 ^ mod n. 

3. Generate a proof that loggy = logT 2 {T\/Ai mod n) 

3 Observations 

The ‘group of customers’ offline model was first proposed by Lysyanskaya and 
Ramzan [3] and subsequently expanded upon by Traore [6] . The structure of the 
new scheme follows that of Traore [6] and hence it has the same general security 
properties. The weaknesses described previously by Traore [6] have their origins 
in the level of coin transfer-resistance that is achieved. 

The group signature signing process binds a customer’s identity to the signa- 
ture during the commitment phase by encrypting the customer’s identity under 
Ti and T 2 - Therefore, it is not possible for any other customer to spend the 
‘coin’. In this sense, the ‘coin’ is bound to the identity of a particular customer. 
Whether or not this customer is the withdrawing customer depends on the blind 
signature used to create the authority. In Brands’ cash [2], the restrictive blind 
signature used to create the authority achieves tight binding and prevents the 
withdrawal protocol from being diverted. As a result, the signing keys of cus- 
tomer withdrawing the ‘coin’ must be known in order to spend the ‘coin’. 

The exact details of the commitments used in creating an authority have 
not been specified. Different choices can provide different properties. If all the 
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values in the set {Ti, T2, T3, di, d2, ds, <^4} are signed when forming an authority, 
the knowledge extraction process for the group signature scheme will reveal the 
customer’s private key and group membership certificate in the event that the 
customer overspends. As has been previously noted by Nyang and Song [ 5 ] in 
connection with Brands’ cash scheme [ 2 ], the bank can then falsely accuse the 
customer of additional overspending. 

If the values Ti,T2,ds are used in forming the authority, the customer’s Ai 
can be extracted if double-spending occurs. This allows the bank to indepen- 
dently identify the customer but the bank can not create false payment tran- 
scripts. If the values T \ , T2 are used, the bank can still detect the double-spending 
event. The revocation manager can open the offending transcripts and identify 
the overspending customer - the reason for using group signatures to begin with. 

4 Conclusions and Further Work 

We have presented a new offline cash scheme based on an efficient and provably 
coalition-resistant group signature scheme. The group signature properties are 
used to deliver anonymity, unlinkability and revocation services. A blindly signed 
authority from the bank is used to detect double-spending. The exact nature of 
this authority has been left as flexible. 

The scheme discussed in this paper is susceptible to diversion and this can 
lead to perfect crimes [ 7 ] such as blackmailing and money laundering. Designing 
an authority mechanism which is resistant to diversion is an open problem with 
respect to the underlying group signature scheme used in this paper. 



References 

1 . Giuseppe Ateniese, Jan Gamenisch, Marc Joye, and Gene Tsudik. A practical 
and provably secnre coalition-resistant group signature scheme. In Advances in 
Cryptology — CRYPTO 2000, LNGS 1880, pages 255-270. Springer- Verlag, 2000. 

2. Stefan Brands. Untraceable off-line cash in wallets with observers. In Advances in 
Cryptology — CRYPTO ’93, LNGS 773, pages 302-318. Springer- Verlag, 1993. 

3. A. Lysyanskaya and Z. Ramzan. Group blind digital signatures: A scalable solution 
to electronic cash. In Financial Cryptography: Second International Conference, PC 
’98, LNGS 1465, pages 184-197. Springer- Verlag, 1998. 

4. Tom Nakanishi, Nobuaki Haruna, and Yuji Sugiyama. Unlinkable electronic coupon 
protocol with anonymity control. In International Workshop on Information Secu- 
rity (ISW’99), LNGS 1729, pages 37-46, 1999. 

5. DaeHun Nyang and JooSeok Song. Preventing double-spent coins from revealing 
user’s whole secret. In Second International Conference on Information Security 
and Cryptology (ICISC’99), LNGS 1787, pages 13-20. Springer- Verlag, 1999. 

6. Jacques Traore. Group signatures and their relevance to privacy-protecting off-line 
electronic cash systems. In Australasian Conference on Information Security and 
Privacy (ACISP’99), LNGS 1587, pages 228-243. Springer- Verlag, 1999. 

7. S. von Solms and D. Naccache. Blind signatures and perfect crimes. Computers and 
Security, 11:581-583, 1992. 




Fair Exchange of Digital Signatures with Offline 
Trusted Third Party 



Chuan-Kun Wu^ and Vijay Varadharajan^ 



^ Department of Computer Science, Australian National University 
Canberra, ACT 0200, AUSTRALIA, chuan@cs.anu.edu.au 
^ Department of Computing, Macquarie University 
North Ryde, NSW 2109, AUSTRALIA, vijay@ics.mq.edu.au 



Abstract. In this paper we show how fair exchange of digital signatures 
can be made possible without a separate verifiable encryption. This 
means that the fair exchange protocol can be established based on an 
existing signatnre algorithm without modification, except that the users 
need to get a ticket from an off-line trusted third party to enable the fair 
exchange. The trnsted third party is needed to make a judgment only 
when there is a dispute. Explicit protocols based on different digital 
signature algorithms are proposed. 

Keywords: Digital signature; Fair exchange; Electronic commerce 



1 Introduction 

Fair exchange is a protocol by which two entities, A and B, can exchange data 
(e.g. signed document, electronic cash/check, electronic product, commitment 
of providing goods and/or services, etc.) in such a way that, the entity who 
provides the data last, cannot take advantage over the other, even when time is 
sensitive. It is reasonable to assume that there is a trusted third party (TTP) 
who acts as a judge when possible disputes occur. 

Fair exchange protocols apply only to messages with known properties, e.g. 
digital signatures and digital cash. Fair exchange of signatures can be made in 
two steps: verifiable signature commitment and signature verifiable encryption. 
Verifiability is essential as otherwise the verifier cannot be convinced whether a 
message is useful or simply garbage. The idea of designing verifiable signature 
commitment is different from that of verifiable signature sharing [6] [13], because 
in the former case the whole signature is wrapped while in the latter case the 
signature is split into pieces and distributed to different proxies. However, the 
idea for designing verifiable encryption protocols can be very similar. 

A common application of fair exchange of signatures occurs in contract sign- 
ing. In this case the signature of both parties can be exchanged in a bit-by-bit 
fashion (e.g. in [2] [9] [11]), by means of bit commitment. If one party stops 
the bit-by-bit exchange, neither of them has the other party’s signature. It is 
effectively a fair exchange protocol, though there may exist one bit unfairness. 
However, this is not practical for long signatures, as the computational complex- 
ity can become very high. 
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In some other protocols (e.g. [7] [14] [15]), a trusted third party (TTP) is 
required to be on-line. Fair exchange is essentially done by the TTP. This is 
still not efficient. For instance, in a real world situation, judgment from a court 
is needed only when disputes occur; otherwise the judge is unaware of what is 
happening (except when he intentionally monitors the situation). Therefore it 
is desirable to design fair exchange protocols where a trusted authority stays 
off-line. 

In [1,3] fair exchange protocols are proposed where the TTP has not to 
be on-line. This property enables the TTP to serve a large number of users 
where we assume that the majority of users is honest. So the TTP is needed 
only when there is a dispute. The protocols proposed in [1] make use of general 
verifiable encryption protocols which normally need a zero-knowledge proof. This 
is inefficient as the complexity for the zero-knowledge proof is normally high. 
Recently a RSA based fair payment protocol was proposed in [3] which modifies 
the undeniable signature protocols presented in [8] to formulate a confirmation 
protocol. Although verification encryption is not employed in [3], interactive 
proof is needed for signature confirmation. 



2 Fair Exchange of Discrete Logarithm Based Signatures 

In this paper we only consider discrete logarithm based signatures as they have 
similar assumptions to set up. There have been a number of signature algorithm 
proposals based on discrete logarithm problem over a primitive field (e.g. [12] 
[4] [5]). Except for a minor difference in further requirement on the properties 
(e.g. [10]) or a less requirement on q [4], the most common assumption made 
is as follows: Let p,q be large primes such that g|(p — 1), g be a generator for 
the subgroup of Z* of order q, where Z* is the largest multiplicative group in 
Zp = {0, 1, ...,p — 1}. All the numbers p, q and g are known to the public. It is 
also assumed that there is a publicly known hash function H(x) mapping from 
arbitrary numbers in Z to fixed length numbers in Zq. 

To set up a key, user X chooses a random number x £ Zq as, his private key, 
and computes h = mod p as his public key^. 



2.1 Fair Exchanges for DSS-Based Signatures 

As a typical example, the Digital Signature Standard (DSS [5]) is based on 
discrete logarithm problem with the same assumption for the primes p and q as 
above, we here briefly describe how fair exchange protocols can be established 
based on DSS. 

The setup assumption and key generation in DSS are very much similar to 
other discrete logarithm based digital signature schemes, i.e. each user chooses 
a secret x, and computes a public key y = g^ mod p, where g and p are public 

^ In practice the public key needs to be authorized, and a certificate containing the 
public key, the identity of the user, validity period of the public key, etc., is issued. 
This certificate is kept by the user and is sent to the receiver, or published somewhere 
which is publicly accessible. 
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parameters. Apart from this, every user who wants to execute the fair exchange 
protocol must register from the TTP as follows: user X and the TTP mutually 
agree on a random number v G Zq. These cannot be chosen by the user only. 

Signature generation. Choose k G Z* at random, let r = mod p) mod q, 
and s = k~^{H{m)+xr) mod q, where H{) is a publicly known hash function 
as is assumed in Schnorr signature scheme. The signature is the pair (r, s). 
Signature verification. Let ui = H{m)s~^ mod q and U 2 = rs~^ mod q. Ver- 
ify whether equation r == mod p) mod q holds. 

In [1] a DSS based signature commitment protocol is proposed which is 
proved to be secure against any forgeries. Here we modify it so that verifiable 
encryption is not required but still achieve the same purpose, namely the confir- 
mation on the convertibility of the signature commitment into a normal signature 
by the TTP. In order to do this, we assume that in the registration, the user 
has the public information 7 = 5 ’' mod p, 7 ' = g"" mod p, t = g"^ mod p and 
A = 7 '“^ mod p authorised and issued by the TTP, where the TTP has recorded 
V and w {v and w are also known to the user) associated with the user’s identity. 

DSS Signature Commitment 

In the following discussion we will use a\\(3 to denote the concatenation of a and 
/3. Now we can give the following protocol. 

Producing a Signature Commitment 

— Produce a reference signature using private information v and w which 
are shared by the user and the TTP: 

v' = + W 7 ) mod q. 

— Let a = mod p, (3 = mod p, 6 = h" mod p. 

— Let r = (a/3 mod p) mod q, c = r~^H{m) mod q, e = iL(a||/3||(5||c), and 

z = {v' + eui) mod q. 

— Commitment: the tuple (a,/3,S,z). 

Verification of Signature Commitment 

— Compute r = (a/3 mod p) mod < 7 , c = r~^H{m) mod q, e = 

iL(a||/3|l(3||c), and a' = g^ mod p = mod p. 

— Check whether g^ = a'a® (mod p) and = 5/3'”® (mod p)l 

Theorem 1. The DSS signature commitment protocol described above has the 
following properties: 

Completeness: An honest prover will always be successful in convincing the 
verifier that a valid signature commitment is produced, i.e., it succeeds in the 
signature commitment verification. 

Privacy: The verifier will learn nothing about the signature from the signature 
commitment except being able to check the validity of the signature commitment. 
Soundness: To forge a signature commitment is no easier than forging a normal 
signature which is assumed to be computationally infeasible. 

Convertibility: Given parameter v, the signature commitment can be converted 
into normal signature which is publicly verifiable. This can be done by the TTP 
as the TTP has recorded the value of v and w. 
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Fair Signature Exchange and Dispute Resolution 

Protocols for fair exchange and for dispute resolution can be made possible. 
For fair exchange of signature commitment and consequently the full signature, 
the idea is to use a timestamp to constrain the time for signature commitment 
exchange, and when final signature exchange is not complete after some pre-set 
time, an abortion protocol is executed to force the exchange to be aborted. This 
is requested by one party and executed by an off-line TTP after verifying the 
validity of the request. No party will take any liability on further exchange of 
signatures after the abortion protocol being executed. If the protocol has gone 
to enough detail, a dispute resolution protocol is used to solve disputes by forcing 
the exchange to be complete. This is also requested by a party with sufficient 
information regarding the other party’s signature commitment and is executed 
by the off-line TTP. The trick for the TTP being able to recover the signature 
given information of a signature commitment is that the TTP has a common 
key with every user, where the shared key plays important role in signature 
commitment generation. The detail of these sub-protocols are omitted here. 

Properties 

Compared with the signature commitment protocol based on DSS proposed in 
[1], the DSS signature commitment protocol described above has the following 
properties: 

— Only one hash function is required which is available from the DSS algorithm. 
In [I] another random hash function H'Q is used in generating signature 
commitments, we do not see its necessity. 

— Computational complexity in producing a signature commitment is simpler 
than that in [1], as we only use three modular exponentiations rather than 
four as in the case of [1]. 

— Computational complexity in verifying the signature commitment is higher 
than that in [1], as a' has to be computed in the verification. This actually 
transfers the load on signature commitment creation as the case in [1] to the 
verification in this scheme. One more modular exponentiation is involved for 
the purpose of signature convertibility verification. 

— Validity of v' can be verified which ensures the signature convertibility, but 
the verifier learns nothing about the value of v'. This validity verification is 
done by only one additional modular exponentiation with the help of some 
authorized information by the TTP. 

— The protocol above is explicitly proved to be at least as secure as forging 
normal signatures. 

3 Conclusion 

In this paper we have proposed a fair exchange protocol of digital signatures with 
off-line trusted third party. The prerequisite is an existing signature algorithm 
which does not need to be re-established. In this paper, there is no need for 
verifiable encryption protocols which are normally executed via an interactive 
zero-knowledge proof. This protocol has been shown to have good properties. 
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Abstract. The cyber attack simulation tool, SECUSIM, is presented for 
specifying attack mechanisms, verifying defense mechanisms, and evaluating 
their consequences. The tool has been successfully developed by employing the 
advanced modeling and simulation concepts such as SES/MB (System Entity 
Structure / Model Base) framework, DEVS (Discrete Event System 
Specification) formalism, and experimental frame. SECUSIM is currently 
implemented on the basis of Visual C++ and enables a simulation of twenty 
attack scenarios against himdreds network components. 



1 Introduction 

As we increasingly rely on information infrastructures to support critical operations in 
defense, banking, telecommunication, transportation, electric power and many other 
systems, cyber attacks have become a significant threat to our society with potentially 
severe consequences [1]. A computer and network system must be protected to assure 
security goals such as availability, confidentiality and integrity. That is, the deep 
understanding of system operation and attack mechanisms is the foundation of 
designing and integrating information protection activities [2]. Therefore, the 
advanced modeling and simulation methodology is essential for classifying threats, 
specifying attack mechanisms, verifying protective mechanisms, and evaluating their 
consequences. That means, we need to establish the advanced simulation system for 
analyzing vulnerabilities of given infrastructure as well as the expected consequences 
of successful attacks and the effect of the defense policy [3]. 

Cohen [3], who was a pioneer in the field of network security modeling and 
simulation, interestingly suggested a simple network security model. However, cyber 
attack and defense representation that is based on cause-effect model [3] is so simple 
that practical difficulty in application comes about. Amoroso suggested that the 
intrusion model [4] should be represented by sequence of actions, however, the 
computer simulation approach was not considered clearly. Wadlow [5] suggested an 
intrusion model, but it failed to go beyond the conceptual modeling level. Finally, 
Nong Ye [2] noticeably proposed a layer-based approach to complex security system, 
but failed to provide a practical modeling and simulation techniques of the relevant 
layers. 
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In order to deal with those restrictions and limitations, we have been successfully 
developed the network security simulation tool, SECUSIM, that is able to specify 
attack mechanisms, verify defense mechanisms, and evaluate their consequences. To 
achieve this, we first have defined the node and link vulnerability metrics for 
providing the proper mechanisms for evaluating the given information infrastructure. 
Then behaviors of the cyber-attack, defense, and consequences are coherently 
characterized within the state transition diagram of discrete event model. We also 
proposed the functional level of modeling complexity so that we can make it not too 
complex but meaningful enough. Such a functional level has been successfully 
developed using the hierarchical and modular discrete event simulation environment 
underlying DEVS formalism [6,7,8]. 



2 Simulation Methodology 

Fig.l shows the overall methodology using the SES/MB [6]. Phase I represents the 
conceptual specification stage, in which the decomposition, taxonomies, coupling 
specification and constraints of given information network system can be specified by 
SES (System Entity Structure) [6]. In Phase II, the network component models as well 
as the attacker models, and analyzer models can be built through DEVS (Discrete 
Event System Specification) formalism [6,7] and saved into MB (Model Base). 
Especially, based on this basic behavior model for network component, command- 
level modeling using pre/post-condition can be accomplished by grouping and 
characterizing of commands that are used in various services. In phase III, the 
simulation model may be constructed by integrating the dynamic models in MB along 
with the network structure of the SES so that the cyber attack simulation can be 
performed. Finally, the simulation result can be analyzed in Phase IV so that the 
security characteristics and policies of each network component may be evaluated [8]. 



3 Main Features of SECUSIM 

SECUSIM is currently implemented on the basis of Visual C++ and enables a 
simulation of twenty attack patterns against hundreds network components. The 
software architecture of SECUSIM (Fig. 2) consists of the following five modules; 

- GUI : It basically has the functionality for initialization and modification of 
network components attributes based on the simulation condition and result. It also 
supports the packet level graphic animation during simulation. 

- Network Configurator : It provides graphic editing capabilities for constructing 
the network structure. 

- Simulation Engine : It proceeds the simulation by executing the network 
component models based on the given attack scenario. It also produces the 
simulation results for the GUI. 
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Component Model Base : It is a model base that contains behavior characteristics 
represented by DEVS formalism. It basically consists of various servers, routers, 
gateways, firewalls, links, etc. 

Attack Scenario Database : It is a database that contains command-level cyber 
attack scenarios in order to inject the cyber attack commands to the given network 
via simulation. 
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Fig. 1. Overall methodology 




Fig. 2. The software architecture of SECUSIM 
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SECUSIM supports five modes of usages for allowing the step-by-step analysis (see 

Fig. 3) as follows; 

(1) Basic Mode'. It provides basic knowledge of cyber-attack mechanisms by 
retrieving the scenario database. 

(2) Intermediate Mode'. It allows the cyber attack simulation of a given network by 
selecting arbitrary attacker model and target host as well as setting the attack 
scenario. 

(3) Advanced Mode'. It support for direct command-level testing of given cyber- 
attack into the given network models. 

(4) Professional Mode'. It provides advanced analysis for link and node vulnerability 
of given network by allowing multiple cyber-attack simulation. 

(5) Application Mode'. It allows graphic editing capabilities for users to create and 
simulate their own network configurations. 
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Fig. 3. Screen copies of ‘SECUSIM’ 
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4 Conclusions 

We have successfully developed the cyber attack simulation tool, SECUSIM, that is 
able to specify attack mechanisms, verify defense mechanisms, and evaluate their 
consequences. The tool takes advantage of a hierarchical and modular modeling and 
simulation environment so that it efficiently supports to construct the security model 
as well as to analyze node and link vulnerabilities of given network model through 
simulation. SECUSIM is currently implemented on the basis of Visual C++ and 
enables a simulation of twenty attack patterns against hundreds network components. 
We leave here future further studies for automated model generation and also 
identification of unknown cyber-attacks through the simulation. 
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Abstract. This paper discusses the semantics of authentication protocol, and 
then proposes a new formal logic system of authentication. It is useful and 
effective, not only in analyzing key establish protocols, but in analyzing 
identification authentication protocols, electronic commerce protocols and non- 
repudiation protocols. And my logic needn’t the protocol idealization that has 
caused many problems in other BAN-like logic systems. 



1 Introduction 

Michael Burrows, Martin Abadi and Roger Needham published a famous paper “A 
Logic of Authentication” in 1989. This paper proposed a new method for 
authentication protocol analysis. It’s useful in finding the leakage of some 
authentication protocols, and is named as BAN logic. 

Of course the BAN logic is helpful to analysis the security of some protocols, but just 
like some researchers have indicated that sometimes the analytic result is not accurate, 
so it’s not a perfect method. In 1990, Li Gong et al improved the BAN logic and 
proposed a new logic named as GNY logic. In 1994, R Syverson et al proposed 
another logic method named as SVO logic. After that many other logic methods 
appeared. It’s known that all of these logic methods are named as BAN-like logic. 

Mr. Wenbo Mao and Sihan Qing etc discussed the limitations of BAN logic, and other 
researchers found the limitations of GNY and SVO logic in the last few years. They 
concluded that idealization process is vital in causing many inaccurate results. 

1 think that the basic cause is the semantics and the postulates, not the idealization 
process. 1 find that the idealization is unnecessary if the semantics and the postulates 
are well defined. This paper first defines the semantics, then gives the axioms. Limit 
to the length, examples will be given in other papers. 

2 The Semantics 

2.1 Some Basic Notations 

In our paper, we use the following notations: 

Let S denote the center name or the server’s identifier, and Q.' denote the set of all 
center names; we use A, B, C denote the user name or user’s identifier, and the Q." 
denote the set of all user names. Let called host name set. 

Let 3 denote the set of all time-stamps, N denote the set of all nonce; 91' denote the 
set of attributed symmetric keys, 91" the set of session keys. 91=91'u91" is the set of all 
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symmetric keys. Let denote the set of all public keys, p" the set of all private 
keys, the set of all asymmetric keys. 

Also, we use P, Q, R denote an arbitrary host or host name, in other words, P, Q, R are 
the host name variables. Similarly, let X, Y, Z denote an arbitrary bit string, X" denote 
the set of all bit string; F, O denote an arbitrary set. 

Definition 1 We call a bit string Y is a term including X, if X is a bit string, and Y is 
composed of X concatenated with other bit strings. We denote it as Y=p(X). Also, we 
call Y concludes X, or X is concluded in Y. 

Definition 2 Let X be a bit string, CF, CF' be cryptographic functions, a term 
implying X is defined as follows: 

(1) CF(p(X)) is a term implying X; 

(2) If Y is a term implying X, then CF'(p(Y)) is also a term implying X; 

(3) The set of all terms implying X is generated as in (1) and (2). 

We denote a term implying X as Y=x(X), and call Y implies X, or X is implied in Y. 
Note: A cryptographic function is referred to an encryption function, or a decryption 
function, or a signature function, or a hash function. 

When we use key K to encipher message X, we can obtain a cipher-text Y=CF(X,K), 
where CF is the encipher function. Generally, it is denoted as Y={X}k, and here we 
denote it as Y=[X]K for the convenience. A hash function is denoted by H(X). 
Examples: [X]K is a term implying X, [Y, H(X)]K and [Y, [X, Z]K]K' are also terms 
implying X. 

Definition 3 Let x(X) be a term implying X, if we can obtain X from x(X) by some 
algorithm and some especially message, then we say that X is retrievable from x(X), 
and denote it as Xsx(X). For instance, x(X)=[X]K, then X can be retrieved from [X]K 
provided K ' is known; but no one can retrieve X from H(X), so H(X) is irretrievable. 
Definition 4 We say that a bit string is fresh if it is generated in recent time, and 
denote it as #(X). 

2.2 The Messages 

Definition 5 A message is defined as follows: 

(1) The element of set £2u3upu9I' is a message; 

(2) If X, Y are messages, then(X,Y), the bit string of X concatenated with 
Y, is a message; 

(3) If Xj X^ are messages, then F(Xj X,^) is a message, where F is 

an arbitrary function. Especially that H(X) and [X]K are messages if X 
is a message. 

(4) The set of all Messages is generated as above. 

We denote the set of all messages as X. 

Definition 6 If a bit string X is not a message, we say that X is a confusion code. 
Definition 7 We say that a bit string X is a truthful message or message X is truthful 
if we can conclude that X is really a message. 

Note: A nonce or a cipher-text is just like a confusion code. So it’s necessary to give 
above definition. Many BAN-like logic systems give the definition “recognizable”. 
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Surely a recognizable bit string is indeed a message, but we argue that a message is 
not always recognizable. For example, when a host transmits an enciphered message, 
he can believe that it is message, but he can’t recognize it. 

2.3 The Formula 

Definition 8 Let X'' be the set of all bit strings; be a set; X, Ye be bit string 
variables; P, QeQ be hosts. We say that the symbol string XeL, X=Y, XeX, #(X), 
Xs t(X), PaX, P <IX, X;^ P, P=>Q and &(P) are atomic formulas. We interpret some 
atomic formulas as follows: 

(1) PaX: P generates X; 

(2) P<X: PseesX; 

(3) X P: X is given to P, or P is the receiver of X; 

(4) P=>Q: Q is P’s communicative object, or P’s communicative 

object is Q; 

(5) &(P): P is taken parting a protocol communication. 

Definition 9 A formula is defined as follows: 

(1) An atomic formula is a formula; 

(2) If £■ is a formula, Pe Q., then (Pj=£), (— lC), (Vxj^ is also formulas; 

(3) If E and F are formulas, then (E—>F) is also formulas; 

(4) All formulas are generated as above. 

Here, (P|=£) represents that P believes that formula E is correct; (— i^) represents that 
the negation of E\ {E^F) represents that if E, then F', (\/X)E represents that, E holds 
for all X. 

Note: The symbols e, =,#,&, 3, <1, ^ , =>, s are first order predicates, the 
symbol is a second order predicate, V is a quantifier, — i(negation), ^(conditional) 
are connectives. 

Definition 10 For the convenience, we define some new formula symbols with the 
defined formula as follows: 

(1) (E/\F) is the abbreviation of formula —i(E—>(—iF)), that is E and F; 

(2) {E\/F) is the abbreviation of formula (—lE^ F), that is E or F\ 

(3) {E<r^F) is the abbreviation of formula (E^F)a(F^E) , that is , £ if 
and only if F; 

(4) X^Y, (Xg T) is the abbreviation of formula — i(X=Y), — i(Xe T); 

(5) (T <IX) is the abbreviation of formula (VR)((Rer)-3(R<IX)), where X 
gI'T-TcQ; 

(6) (T < X) is the abbreviation of formula (VR)((R <IX)-3(Rg T)); 

(7) (T| < X) is the abbreviation of formula ((r<IX)A(r <X)); 

(8) (P <1 T) is the abbreviation of formula (VX)((Xg F)— 3(P <1 X)); 

(9) r|=£' is the abbreviation of formula (VR)(Rg T— 3R|=£), where TcQ; 

(10) P< — - — >Q is the abbreviation of formula (Kg9I)a{P,Q}|= (KgXa 
{P,Q}|<K); 

(Kh^P) is the abbreviation of formula (Kg ^')a(P <IK ‘)a(P|=K 'g p"); 



( 11 ) 
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(12) (X F) is the abbreviation of formula (VR)((X R)— >(Rg F)); 

(13) Q|~X is the abbreviation of formula (3 K)(Kg5RuP"aQ3[p(X)]K); 

(14) P| ~ X is the abbreviation of formula (P|~X)a#(X); 

(15) 0 (X,P) is the abbreviation of formula ((3 Q)((Q|~X))a(X P)); 

( 1 6) P|= 0 (X) is the abbreviation of formula P|= 0 (X,P); 

Note: Although we defined some new formulas, the set of all formulas is not 
expanded. 

3 Axioms 

Now we give some axioms. In the following axioms, we always assume that W, X, Y, 
ZgX" is an arbitrary bit string; P, Q, RgQ is an arbitrary host; KeSRup is a key; p 
(X) is a term including X; x(X) is a term implying X; F is a function; FI is hash 
function; [X]K is encryption function with key K, or a decryption function with key K, 
or a signature function with key K; Xi=^2u3 u p is the known message set; S' is 

the set of all bit strings transmitted in a given protocol. 

Axiom about General Functions, abbreviated to AGF: 

AGF: (P <1 {Xj,. . .,XJ)^(P <IF(Xj,. . . ,XJ);(Function F is public) 

Axiom about Cryptographic Function, abbreviated to ACF: 

ACF: {X,Y}cE^((F(X)=[X]KvF(X)=H(X))^(F(X)=F(Y)g^X=Y)); 

Axiom about Truthful Message, abbreviated to ATM: 

ATM: (P|=XGl)G^(P<IXA((XGQu3vP|=Xe PvP|=Xg5Rv(X=p(Y)aP|=Yg 
S) V (X=H(Y)aP|=Yg S) V (X=x(Y)aP|=Y?t(Y)aP|=Yg S)vP3X)); 

Axiom about Determining Some Basic Set, Such as Q., 3 and N , abbreviated to 
ADS: 

ADS: Xg F^(P|=Xg Fg^(P <XaP|=Xg S));(F is Q', Q", 3, K , 5R or D) 

Axiom about Key’s Basic Properties, abbreviated to AKP: 

AKPl: ((K‘) =K); 

AKP2: (P<K')^(P<I [X]K->P<IX); 

Axiom about Symmetric Key, abbreviated to ASK: 

ASK: KG9f-^(P<IK-^P<IK‘)); 

Axiom about Asymmetric Key, abbreviated to AAK: 

AAKl: K g ^"g^Kg p'; 

AAK2: P|=Kg p'^((P <K)aP|=(Q <K‘-»Q| < K‘)); 

Axiom about Believing Theorems, abbreviated to ABT: 

ABT: £<-G(VP)(P|=£');(where E is an arbitrary theorem of arithmetic system or 
an arbitrary axioms of this system) 

Axiom about Interchanging Belief Predicate with Quantifier, abbreviated to 
IBQ: 

IBQ: (VX)P|=£(X)GGP|=(VX)£'(X);(where X^^P, and E(X) is a formula which 
X is free occurred in E) 

Axiom about Interchanging Belief Predicate with Negation, abbreviated to 
IBN: 

IBN: (P|=^)gg^(P|=£:); 
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Belief Modus Ponens, abbreviated to BMP: 

BMP: (P|=(£'^F))^(P|=£'-»P|=F); 

Axiom about Belief Absorption, abbreviated to ABA: 

ABA: (P|^(P|=£'))<-^(P|=£');(£' is an arbitrary formula) 

Axiom about See Predicate, abbreviated to ASP: 

ASPl: ((P <IX)^(P3XvX£ljUrv(P <t(X)aP|=Xs t(X))); 

ASP2: (P<lp(X)-3P<IX); 

ASP3: (P<IX£^P|=P<IX); 

Axiom about Message Generation, abbreviated to AMG: 

AMGl: P3 X^(P<IXaP|=0 (X)); 

AMG2: Xe3uNuSR-3(P3X^P|=#(X)); 

AMG3: X£ NuSR-3(P3X-3P|=(VR)(R3X-3R=P)); 

AMG4: T(X)£l£^(3Q)(Q3T(X)); 

AMG5: P3F(X)-3P<IX; 

AMG6: P3X£^P|=P3X; 

Axiom about Naming the Participator, abbreviated to ANP: 

ANPl: Pe Q'^(P| = Q^P|=&(Q)); 

ANP2: (PsQ"aP;^Q)-3(P|~Q-3P^Q); 

ANP3: P£ Q'^((P|~Q ^ RaQ;^R)^P|=Q^R); 

ANP4: P|=Q| =X-3P|^&(Q); 

ANP5: (P|~X:- Q)-3P^Q; 

(Note: ANP4 and ANP5 do not name the host directly, but they name the host 
name implicitly) 

ANP6: Xg p'^R|=((PgQ AP;^Q)-3(P|~(Q,X)^Xi-^Q));(This axiom is about 
the public key certificate, we assume that in a public key certificate the owner’s 
name (host name) is always ahead of the key) 

Axiom about Message Retrieving, abbreviated to RET: 

RET: (P|=Xs [p(X)]Kg^P<IK'); 

Axiom about Message Receipt, abbreviated to REC: 

RECl: (P;^QaP|=Q3H(X))-^P|=X^P; 

REC2: (P < ^ > QaP|=Q3[X]K)^P|=X^P; 

REC3:Ke9i-3((P|=0 (K)aP< [X]K)-3P|=X^ P); 

REC4: (P <1 [X]KaKi-^P)^(P|=Xg I-3P|=X ^ P); 

REC5: (P <1 [X]K‘ aX=p(P)aP|=Ki-^Q)-3(P|=Xg I-^P|=X ^ P); 

REC6: (p(X) ^P-^X:-P); 

Axiom about Fresh Message, abbreviated to AFM: 

AFMl: (Xg 3)-^(P|=Qhp(X)-^P|=#(p(X))); 

AFM2: XgQ^(#(X)G^#p(X)); 

AFM3: #(X)^#H(X); 

AFM4: (#(X)v#(K))^#([X]K); 

Thus we totally have forty axioms as above, which are divided to eighteen 
classes. 
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4 Rules and Theorems 

We have two inductive rules: MP(Modus Ponens) and GN(Generalization), just like 
the predicative formal system. The rule MP is referred that if we have formula E and 
(E^F), then we can obtain E. The rule GN is referred that if we have formula E, then 
we can get (\/X)E. 

Note: Now we have defined a second order system, and denote it by . We 
call it LEE logic for the convenience. 

It’s obviously that our system £' is an expansion of the arithmetic axiom 
system. Hence, all of the arithmetic theorems also held u\£' . 

In our system, there exists such formula: (VE')(P|=(E'^£')), but we do not 
discuss it because it’s unnecessary for authentication protocol analysis. 

Definition 11 Let E^, E^, E^ be a formula sequence, if each E. is either an axiom 
or induced by rules from the formulas ahead of E^, then we call E^ is a theorem. 
Sometimes, we denote a theorem E by | — E. 

Definition 12 Let L be a set of some formulas, E^, E^, E^^ be a formula sequence, 

if each E. is either an axiom or a member of L, or is induced by rules from the 
formulas ahead of E., then we call E^^ is derived from L, or L generates E^^, and denote 
itbyr|-.L,. 

There are lots of theorems in our logic system, such as: 

{P < ^ > Q,P<I [X]K}|— P<X; 

{P<1 [X]K,Ki-^P}|— P<X; 

{P< [X]K-‘, P|=K^Q, P|=XgI}|— P|^Q|~X; 

We can prove a lot of such useful theorems. We’ll publish some of them in other 
papers. 



5 Conclusions 

Our logic has many advantages. We list some of them as follows: 

Firstly, our logic is useful and effective, not only in analyzing key establish 
protocols, but in analyzing identification authentication protocols, electronic 
commerce protocols and non-repudiation protocols. 

Secondly, we can express the goals of a protocol accurately with well-defined 
formulas. 

Thirdly, we needn’t the protocol idealization which has caused many problems 
in BAN-like logic. 

Fourthly, we can define “secure protocol” accurately towards different kind of 
protocols. 

We have already analyzed many protocols. We’ll publish them in other papers. 
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Abstract. A number of techniques have been recently proposed to prevent 
unauthorized user from illegal copying or redistribution of multimedia contents. 
One approach for copy protection is robust watermarking technique that 
purposes to resist several attacks such as signal processing, geometric 
distortion, etc. On the country to robust watermarking, the other approach is 
fragile watermarking that purposes to detect slight changes to the watermarked 
contents. In this paper we find out the problems of a marking and identification 
scheme for document images using one directional diagonal profile that we 
proposed. And then we suggest robust watermarking technique to resolve these 
problems using bi-direction diagonal profiles; left-directional diagonal profile 
and right-directional diagonal profile. According to this robust watermarking 
technique, it can reduce the side information, which needs in watermark 
extraction procedure and find the pixel position on document image with only 
the indexes of bi-directional diagonal profiles. Finally, in addition to robust 
watermarking scheme, we suggest fragile watermarking technique that can 
locate or characterize the forged region using the feature of bi-directional 
diagonal profiles and reverse process. 



1. Introduction 

As the growth of high technology, it is possible to access the multimedia contents 
such as document, audio, video by unauthorized users, these illegal accessed contents, 
furthermore, can be copied or redistributed to the third parties. To protect these 
multimedia contents, copy protection technique has been introduced and this can be 
classified into two categories. One is robust watermarking that purposes to resist 
attacks that attempt to remove or destroy the watermark. The other is fragile 
watermarking that mainly purposes to detect even slight changes to the watermarked 
contents. The main application of fragile watermarks is in content authentication, it, 
therefore, can be used to prove that object has not been modified and might be useful 
if digital contents are used as evidence in court. 

Specially, we mention on digital watermarking for the text document images in this 
paper. This technique has applications wherever copyrighted electronic documents are 

S. Qing, T. Okamoto, and J. Zhou (Eds.): ICICS 2001, LNCS 2229, pp. 483-494, 2001. 

© Springer- Verlag Berlin Heidelberg 2001 




484 



J.H. Park, S.E. Jeong, and C.S. Kim 



distributed. One of the examples is virtual digital library where users may download 
copies of documents, for example, books, but are not allowed to further distribute 
them or to store them longer than for a certain predefined period. In this type of 
application, a requested document is watermarked with a requester specific watermark 
before releasing it for download. If later on illegal copies are discovered, the 
embedded watermark can be used to determine the original ones. 

In section 2 we briefly review several watermarking techniques for document 
image. And then we mention the problems of watermarking technique[12] using one 
directional diagonal profile. In section 3 we propose robust watermarking scheme 
using bi-directional diagonal profiles and also propose fragile watermarking technique 
that can extract the forged region using reverse process. Then we present 
experimental results, conclusions in section 4 and 5. 



2. Watermarking Techniques for Text Documents 

Digital watermarking techniques for text document image are mainly classified two 
categories; spatial domain technique and frequency domain technique. 

Spatial domain technique by Brassil et a/. [3] [4] [8] and Low et a/. [2] [6] [7] slightly 
moves the location of words or lines; this is perceptually invisible even after 
embedding the watermark. According to this, embedded watermark can be detected 
using feature detection, correlation detection, centroid detection even though it has 
been corrupted by copying, scanning, fax transmission. Feature detection is most 
directly applicable for detecting line shifting, it has an advantage that does not require 
any information on the original unmarked document, but also has a disadvantage of 
relatively poor performance on documents that have suffered significant distortions. 
Although centroid detection can be applied to detect both line and word spacing, its 
performance in the presence of noise is satisfactory only for line spacing. It is more 
reliable but requires centroid of original unmarked document profile. Correlation 
detection performs much better than centroid detection on word spacing, but its 
performance is sensitive to how accurately can be compensated for the translation of 
the profile. This method requires the profile of original unmarked document. 

Frequency domain digital watermarking technique by Lui et al. [9] uses the original 
Cox et al. algorithm[5] as a representative frequency domain technique. This 
technique marks the watermark using word or line shifting algorithm by Brassil et al. 
and Low et al. mentioned above, then measures similarity in Cox et al. algorithm 
between original watermarked document image and possibly corrupted watermarked 
document image to detect watermark. This technique has an advantage of robustness 
against noise. 

We had proposed a watermarking algorithm[12] using one directional diagonal 
profile. It can easily detect the attempt to change the marked document by comparing 
the entire profile between original marked document and possibly changed document, 
because if the marked document has changed, it has influence on the entire profile of 
document. In other words, someone who intends to attack has changed several lines or 
words on document, line and word shifting technique only results in changing the 
profile of corresponding lines or words. But, in the previous scheme, it results in 
changing the entire profile of document, not some particular region because of the 
feature of diagonal profile. 
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And we had introduced two different decoding models in this scheme [12], In 
decoding model I, we could just detect the watermark on noisy diagonal profile, while 
we could extract the watermark after removing the noise in decoding model II. Model 
I, furthermore, needs small amount of side information in decoding procedure, while 
it also has a disadvantage of ambiguity in watermark extraction procedure since it 
could not exactly separate between the watermark and the noise on the diagonal 
profile. On the other hand, model II resolve ambiguity in watermark extraction, while 
it has a disadvantage that needs original unmarked document to decode the 
watermark. 

The other problem of the proposed method using one directional diagonal profile 
cannot find the original pixel position of watermark with only the indexes of profile 
of marked document. We have to memorize the actual position on marked document. 
We, therefore, propose a new technique using bi-directional diagonal profiles; left 
directional diagonal profile and right directional diagonal profile in section 3 to 
progress the problems in decoding model 1, II. The technique for the bi-directional 
diagonal profiles does not need the original unmarked document to extract the 
watermark. The watermark can be extracted using the information about the indexes 
of two diagonal profiles only, such that we can reduce the side information in 
watermark extraction procedure. It, furthermore, makes possible to implement fragile 
watermarking technique using the feature of the bi-directional diagonal profiles and 
reverse process. 

3. Watermarking Using Bi-directional Diagonal Profiles 

3.1 Bi-direction Diagonal Profiles 

In general, one directional diagonal profile(i.e. right directional diagonal profile) of 
the document images is a projection of two-dimensional array. To making the 
diagonal profile is to compute an index for the histogram bucket for the current row 
and column. Let the row and column be noted by i and j, respectively. Suppose that 
the dimensions of the image are n row and m columns, so i and j range from 0 to n-1 
and 0 to m-\, respectively, and assume that the index k for the diagonal can be 
computed by an affine transformation of the row and column. The index k can be 
described as (1). And the diagonal profile will require n+m-l buckets. 

k = i — j + m — 0<k<n + m- 2 (1) 

The bi-directional diagonal profile is to expand one directional diagonal profile. 
Figure 1 is an example of left and right directional diagonal profiles. For right 
directional diagonal profile, the upper right pixel is mapped into the first position of 
the right directional diagonal profile, and then the lower left pixel is mapped into the 
last position of one. While, for left right directional diagonal profile, the lower right 
pixel is mapped into the first position of the left directional diagonal profile, and then 
upper left pixel is mapped into the last position of one. 

In this example, « = 18, w = 18, therefore, each diagonal profile consists of 35 
buckets. A dotted black pixel on original document image is corresponded to a dotted 
pixel on each directional diagonal profile using Eqn (2) and (3) in below. 

(k) = n + m- i-j-2 
Dr (k) = i-j+m-\ 



( 2 ) 

(3) 
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Fig. 1 .An example of bi-directional diagonal profiles 



3.2 Watermark Embedding Procedure 

Before mentioning the embedding procedure, we predefine the each document image. 
At first, we assume that the page is represented as follows. Figure 2 is an example of 
document image. 

/(/, j ) G {0,1} , / G [0, « - 1] , 7 G [0, m-\] (4) 

where, n and m, whose values depend on the scanning resolution, are the height and 
width of the page, respectively. The image of text line is simply the function restricted 
to the region of the text line 

/(/, 7) G {0,1} , / G [t, 6] , 7 G [0, w - 1] (5) 

where, t and b are the top and bottom boundaries of the text line, respectively. And 
the image of a word can be represented as follows. 

/(/, 7 )g {0,1}, /G[t,b], j^{s,e] (6) 

where, x and e are the start and end of the word in text line. 



I : top 
^ ; bottom* 



s : start e : end 

,.4?^ A 






Techniques fur 
Diagonal Hronie 



cumenls Using 





/)(i) : DiafunaJ prufllc of 
entire page lmai;c 



: Dtasunal proHle of 
a word 



Fig. 2. Illustration of document image 
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In this method, the embedding algorithm of watermark to generate copyright 
information for original owner of document images is described as follows. Figure 3 
is the watermark embedding process. 



Original Document 




Fig. 3. Watermark embedding process 



[Stepl] Randomly choose a word to embed {0,1}, generate diagonal profile DJ^w) 
and D^{w) of the chosen word^bi)- 

Otfl^KWlSS J 



where, w=p + q-x-y - 2{Q<w<p + q- \), t < i < b, s <j < e,Q < x < p 
- \,Q<y<q - l,p = b-t + l,q = e-s + 1 

Dr(w) + 1, if f(i,j) = l\ (8) 

(tv), otherwise J 

where, w ^ x -y + p - 1 (0<w<p + q- 1), t < i < b, s <j < e, 0 < x <p - 1, 
0<y<q- l,p = b-t + l,q = e-s + 1 
|Step2] Embed 5, on selected D^iw) as following conditions. 



D„{w) = x-y + p-\ 


( 9 ) 


D^(w) = D^{w)+W {Sf 


( 10 ) 



• Divide Dfw) into two blocks b^ 

S, = ‘0’ (white pixel value) : embed one pixel on randomly chosen position of b, 
5,. = ‘ r (black pixel value) : embed one pixel on randomly chosen position of b^ 

• Randomly selected position is a pixel that is adjacent to the black pixel value that 
it has the same bucket index on text document image. 

• Maintain the corresponding embedded position of the word on a table to prevent 
from reselecting of embedded position. 

• Avoid the word that does not have plenty of width because the embedded 
watermark should not be visible under normal observation. 



Dr{w) = 
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[Step3] Embed the watermark on Dj(W) by calculating the corresponding diagonal 
index of D^{W) which is the same with the embedded watermark on DJJV) . 

D^{w) = p + q-x-y-2 (11) 

D j^(w) = D Jw) + W (S ,) (12) 

[Step4] Repeat Step[l]~[3] until the watermark 5ds embedded to finish. 

[StepS] Reconstruct document image /(/, f) . 

[Step6] Produce diagonal profile D{k) of the watermarked page / (i, j) . 

3.3 Decoding Procedures 

Our decoding scheme is implemented in two different techniques; robust 
watermarking and fragile watermarking technique. In general, fragile watermarking 
technique can specify the changed or forged region and it does not purpose to extract 
the watermark. We, but, focus on both of the extraction of the embedded watermark 
and characterization of the forged region. Figure 4 is shown these two processes. 

3.3.1 Robust Watermark Scheme to Extract the Watermark 

Now, let’s look into the watermark extraction procedure. Before mentioning the 
extraction of the watermark, our method can be detected in two ways. If you only 
want to detect the change of the watermarked document, you can easily detect 
whether the document has been changed or not by comparing the number of vertical 

strip between the diagonal profile D(/t) of watermarked document /(/,j)and the 
diagonal profile of D\k) of possibly corrupted or changed document f\i,j). 

[Stepl] Generate digitalized document f\i,j) which is possibly corrupted. 

[Step2] Generate D\k) of 

[Step3] Extract watermark 5, on f\i,j) using 

KEY\^RANP^j, (RANP^^ (w),RANPj^^ (w)) ]. Eqn(13), (14) are the same with 

Eqn(9),(l 1), but we mention again for Eqn(15). 

D R (w ) = X — y + p — I (13) 

Dj^{w) = p + q - X - y -2 (14) 

i=\x\, j = \y \ (15) 

where, RANP^j shows randomly chosen position of the word and 
{RANP[y^(w),RANPp^(w))are the randomly chosen position on each directional 

diagonal profile to embed the watermark. 

[Step4] Repeat Step[3] until the watermark 5, is finished to extract. 

3.3.2 Fragile Watermarking Scheme to Extract Forged Region 

In this decoding process, we can exactly find the forged region using reverse 
processing. We first find the information of all pixel value 
POSi [PlXPj^^ (w), PIXPj)^ (w)] which consist of the indexes of each directional 
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diagonal profile from f(i,j), and then determine whether a pixel on f\i,j) is forged 
or not as Eqn (16). 



f forged _ regions (hj) = 



f forged _ regions 
f forged _ regions (i, j) = I 



if f\iJ)^POS, 

> 

otherwise 



( 16 ) 



Possibly Corrupted 
Document 




Fig. 4. Watermark decoding process 



4. Experimental Results 

To test how well marked documents could be extracted and characterized the forged 
region, and we performed the following experiments. The original and the marked 
document were printed on HP Laser Jet 6P. The original image size with 901x622 
scanned 300dpi on HP5200C. And we also use the binary image size with 50x33 
which consists of initial of author for the watermark. We sequentially read the secret 
information, and then randomly embedded on the document image using two diagonal 
profiles. The original document has been made lOpt Times New Roman font, the 
entire page of document consists of 13 lines and 87 words. To be satisfied the 
condition of perceptual transparency, we embedded the watermark on the word that is 
composed over 60 pixels of width. Figure 5 and 8 are original unmarked image and 
watermarked image. Figure 6 and 7 are left and right directional diagonal profile of 
Figure 5. Figure 10 and 11 are left and right directional diagonal profile of Figure 8. 
Figure 9 is extracted watermark from Figure 8. We produced a noisy document image 
to test fragile watermarking technique by copying one time from original marked 
document image on Zerox 330. For Figure 12, we could only get noise that is 
produced by copying through the reverse processing. Finally, we experiment on the 
cropping of the word “watermarking" in Figure 13, and then we could get cropped 
words as the forged regions in Figure 14 through the reverse process. And we 
changed the meaning of word “document" to “image" and also changed “feature of 
diagonal profile" to “diagonal profile’s feature" as Figure 15. Figure 16 is the 
extracted forged region in Figure 15. Specially, Figure 16 is presented with Figure 15 
to compare original document and forged regions. 
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In these 4ays» open computer network, so called 
internet, makes possible to use intellectual 
properties wiiliout any degradation of multimedia 
data such as audio, image, video and text 
document. In this paper, we introduce a new 
watermarking scheme to prevent from discourage 
illicit copy or distribution of text document. "We 
propose tire watermarking and extraction by 
embedding the secret infoimation of copyright 
using diagonal protile to text document. This 
watermarking method can easily detect attempt to 
remove or change the watermark by the feature of 
diagonal profile. 



Fig. 5. Original unmarked document 




Fig. 6. Left directional D.P. of Fig. 5 



Fig. 7. Right directional D.P. of Fig. 5 



In tfaese days, open computer network:, so called 
internet, makes possible to use intellectual 
properties without any degradation of multimedia 
data such as audio, image, video and text 
document. In this paper, we introduce a new 
watermarking scheme to prevent from discourage 
illicit copy or distribution of text document. We 
propose the watermarking and extraction by 
embedding the secret information of copyright 
using diagonal profile to text document. This 
watermarking method can easily detect attempt to 
remove or change the watermark by the feature of 
diagonal profile. 



JSE 



Fig. 8. Watermarked document 



Fig. 9. Watermark 




Fig. 10. Left directional D.P. of Fig. 8 Fig. 11. Right directional D.P. of Fig. 8 
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In these days, open computer network, so called 
internet, makes possible to use intellectual 
properties without any dc^adation of multimedia 
data such as audio, image, video and text 
document In this paper, we introduce a new 
scheme to prevent from discourage 
illicit copy or distribulkm of text document. We 
propose the and extraction by 

embedding the secret informalion of copyright 
using diagonal profile to text document This 
method can easily detect attempt to 
remove or change the watermark by the feature of 
diagonal profile. 



Fig. 12. Forged region by copying one time 



watermarking 

watermarking 

watermarking 

Fig. 14. Extracted forged region of Fig. 13 



Fig. 13. Cropped document(“watermarking”) 



In these days, open computer network, so called 
internet, makes possible to use intellectual 
properties without any degradation of multimedia 
data such as audio, image, video and text 
image. In this paper, we introduce a new 
watermarking scheme to prevent from discourage 
illicit copy or distribulkm of text image. We 
propose the watermarking and extraction by 
embedding the secret inforniation of copyright 
using diagonal profile to text unage. This 
watermarking m^od can easily detect attempt to 
remove or change the watermark by the diagonal 
profile's feature. 



Fig. 15. Changed meaning of word 



In these days, open computer network, so called 
internet, makes possible to use intellectual 
properties without any degradation of multimedia 
data such as audio, image, video and text 
uocurnent. In this paper, we introduce a new 
watermarking scheme to prevent from discourage 
illicit copy or distribution of text oijcetnent. We 
propose the watermarking and extraction by 
embedding the secret information of copyright 
using diagonal profile to text in.; ^tnent. This 
watermarking method can easily detect attempt to 
remove or change the watermark by the tiiaaco nf 
oic tueai t;: oii. e. 



Fig. 16. Extracted the forged region from Fig. 15 

From these results, we could extract the watermark from the watermarked 
document without the original marked document, could find the forged region from 
changed document images. The extraction procedure only needs randomly selected 
position of words and the indexes of two directional diagonal profiles to 
corresponding embedded watermark position. It, therefore, results in reducing the side 
information in decoding. Table 1 more specifically shows the side information, which 
needs in decoding procedure when we use one directional diagonal profile and bi- 
directional diagonal profiles. 
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Table 1. Comparison of the side information 



One Directional Diagonal Profile 


Bi-directional Diagonal Profiles 


Model I 


Model U 


Robust watermarking 


Fragile watermarking 


Marked 

Document 


Original 
Document 
Key Information 


Key Information 


Pixel Positions of 
Marked Document 


Key Information 


Marked 

Document 





To find out how well satisfy the conditions of robust and fragile watermarking 
technique, we present these in Table 2 and 3. And these conditions are selected from 
[10][11] for document watermarking technique. In Table 2, condition 6) means the 
watermark should be extracted by only using the corresponding side information. For 
condition of modification and multiple watermark, it means the watermark can be 
removable the first watermark and the adding a new watermark and can be inserted 
the second watermark such that both are readable, but one overrides the other. Our 
technique, furthermore, does not robust on cropping, but it does not any influence on 
skewing because the watermark embeds to be neighbored with a black pixel value 
such that the skewing occurs along the marked text line or words. 

Table 2. Satisfying conditions for robust watermarking technique 



Conditions for Robust Watermarking 




I) Perceptual Transparency 




2) Large Marking Key Space 




3) Robustness against skewing 


v' 


4) Modification and Multiple Watermarks 


v' 


5) Difficult to deduce from the detection side information 




6) Watermark should be orthogonal during watermark detection 


y' 


7) Computational Cost 





As one of the important conditions for fragile wtaermarking, this technique does 
not have to use original unmarked document. It is really important condition in fragile 
watermarking system. And our technique can detect the forged region and locate the 
alternation region. 
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Table 3. Satisfying conditions for fragile watermarking technique 



Conditions for Fragile Watermarking 




1 ) Detect tampering 


✓ 


2) Locate the alteration made to a marked document image 


V 


3) No need original image 


V 


4) Perceptual Transparency 





5, Conclusions 

Document delivery by computer network offers information providers the opportunity 
to reach a large audience more quickly and cheaply than does media-based 
distribution. To facilitate the transition to network distribution, we proposed a robust 
watermarking technique and a fragile watermarking technique using bi-directional 
diagonal profdes. We could get each unique position of original or watermarked 
document image by the feature of bi-directional diagonal profiles without original 
one. According to this reason, this robust watermarking technique reduces the side 
information in decoding. If the watermarked document images have been changed in 
line or word shifting technique, it just results in changing profile of corresponding 
changed region. On the contrary to this technique, when the changes against even 
small regions have been occurred in our technique, it has an influence on entire 
diagonal profile. Furthermore, if the watermarked image has been changed or deleted 
on arbitrary position of text document by and attacker, the original owner of 
document can easily detect the difference of its document by comparing the number 
of vertical strip between the diagonal profile of original document and a diagonal 
profile of possibly changed one. And we show how to extract the watermark, how 
well locate or characterize the forged region from several changed document images. 
In the experiment, we could extract any kind of forgery against document images 
using reverse processing scheme in decoding procedure. 
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Abstract. Positive impact of redundancy is an aspect not much explored. This 
paper presents a new look at redundancy, particularly as related to public-key 
cryptography, pointing to a new way of building security. 

Keywords. Public key, encryption, security, noise, redundancy 



1 Introduction 

While largely viewed as undesirable, redundancy and message expansion resulted 
from encryption are hardly by choice. However, the room provided by redundancy 
may facilitate some cryptographic techniques employed to obscure the encryption key 
and/or the ciphertext. The McEliece system[l], with the introduction of 
randomization, may serve as a good example. 

Intuitively, when redundancy is closely related to, or purely determined by, the 
structure of the cryptographic keys and transformations, two issues become prominent. 
First, although random, the noise can still be of ‘structure’. One normally can not just 
throw in random bits verbatim as noise but has to, instead, work within the allowance 
of the keys. NTRU[2] is an example in this respect. The other issue is that the amount 
of noise to introduce is limited. Unless noise is totally independent of the keys, the 
requirement of unique decipher may put a ceiling, generally a quite ‘tight’ ceiling, on 
the amount of noise that can be incorporated. 

This paper suggests a new approach to the introduction of redundancy that neither 
depends upon the key structure nor affects the encryption operation. 



2 A Different Approach 

Given an encryption key, we would desire to be able to introduce into it any noise, and 
any sufficient amount of noise, unrestricted by any structure the key may have. At the 
same time, the effective decryption operation must be able to uniquely and 
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unambiguously recover the original data. Noise of such characteristics is referred to as 
independent noise. 

We would like, for any (plaintext) message m, to have a pair of transformations t and 
T satisfying: 

t{<o, k>) = <0, K>, and 
T{<0, A>(m)) = < 0 , k>{m) 

where o is an operation (the equivalent of the encryption operation); O is one other 
such operation; k (K) is an encryption key without (with) independent noise; and <o, 
k> {<0, K>) is a pair indicating operation by o (O) with key k (K). 



One concrete realization of the concept is to adopt the notion of self-containment, 
the property of a sub-unit of a computational unit (analogously a digit of an integer) 
being independent of the values of any other sub-units with regard to certain 
computational operations. 

Let fj,f 2 , ...,f^he arbitrary and/or random functions mapping from [0, 2**) to [0, 
2 **-i-§), for suitable integers 8 and h. E.g. h = 32 and -3x2 '^ < 5 < 3x2**. (These 
functions can be dynamic and sessional). Let all other parameters defined and used 
here be consisted entirely of arbitrary and/or random bits. 

Let X = {Xj, Xj, x^} and W = {Wj, W2, be sets of positive integers 

satisfying: 



\ > Pi.lXj.j + Pi_2X;_2 + ... + PjXj PqXq 7;W; 7jWj 

for l<i<n (e.g. n = 32), where 7 ^ and pj e [0, 2**) and x^j, for convenience, is 

defined to be 0. We call the increasing property of Xj with respect to its index 
superincreasing. 

Let <Y, U > = <{yj, y„}, {Uj, U 2 , uj> = f {f'\. . .{l\<7i{X), n 

(W)>))...)), where is a permutation (with n as the inverse permutation) and /, for 
1 <j <r, is an iteration defined to be: 



/(<A, B>) =/(<{aj, 82 , a„}, {bj, b 2 , b„}>) 

= <{§ I (axe.) mod m., aeA},{{b | (bxe.) mod m., be 

B}> 

where m. > p^aj ^ 2^2 + "• + + ^ 1^1 + 72 b 2 + •■■ + and 

Cj and m. are relatively prime (with Cj being the multiplicative 

inverse of^ e. modulo m.) 

j r 

Let Z = {Zj, Z2, •••5 Zjj} be the transformed version of Y and V = {Vj, V2, •••?%} 
be the transformed version of U satisfying the following: 



a. Pq, Pp 

b. Zj = (Z; Zj p . 

c- J = {jo^ jp •• 
where 0 < 



are pairwise co-prime 

Zj j_j) for 1 <i<n and q > 1 , i.e. Zj are in vector form 

is an arbitrarily and/or randomly chosen set of indices 
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d. S = {Sq, Sj, Sj^j} is an arbitrary and/or random set of indices satisfying: 

1< Sq, Sj, S|^_j<qt and J = S mod t = {Sq mod t, Sj mod t, Sj^ j mod t} 

e- J > PiYj + p2y2 + . . . + P„y„ + 7iUj + 72«2 + ■ ■ • + ^n«n 

g. z. g are random numbers modulo for 0<s<qt 

h. v;=(v.„,v.j,...,Viqj_j)forl^<n 

j. Vj g are random numbers modulo p^^^ for 0<s<qt 

Secret Key: X, W, S, n^, mj, mj, ..., m^, and ej'\ Cj \ ..., e^.'^ 

Public Key: Z, \J 1 J 2 , and p^, pj, ..., Pj j. 

Encryption: The input data stream is taken n blocks, dj, d 2 , d^, at a time. 

Each of these n blocks is of h bits. The blocks are encrypted to Cq, Cj, c^j j in the 
following way: 

c^ = ((djXZj^^ -f djXZj^j + . . . + d„xz^^^) + 

(//(di)xvi,s +/ 2 (d 2 )xv 2 ,s + ■ ■ • +/„(d„)xv„,,)) mod p^^ 

Decryption: The decryptor, with knowledge of S, simply discards the c^ where s 

i S. The remaining c are then converted back from the residue system by the p. using 
* J 

the Chinese Remainder Theorem (CRT), to arrived at a subset sum p (of Y and U) in 

the normal positional number system representation. Next, the inverse iteration(s) can 

be applied to convert p to the corresponding subset sum of X and W: 

for i from r down to 1 do 
p = p X Cj'^ mod mj 
end for loop 

Finally, the normal decomposition of a superincreasing subset sum can be used to 
recover the data bits d,, d„ d : 

for i from n down to 1 do 
d; = Lp / XjJ 

p = p - djXXj -y/(dj)xWj 

end for loop 

{dj, d2,...,d„} = ;t-^({dj,d2,...,d„}) 

3 Security Considerations 

In this section, analysis of security is presented. For convenience, we shorthand 
"normal positional representation" to NPR and refer to the example cryptosystem 
given in the previous section of this paper as SYS. 
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First, we formally specify and define the major notations to be used. 

We will adopt the notations used for SYS and view the encryption key as a matrix 
(formed by the row vectors Vj and z;), and we refer to Po<j<t-i as final moduli and to 
™l<i^ as iteration moduli. 

Definition; Residue and Representative 

In the notation used for SYS, we refer to Vjj and Zj j (for l^<n and 0<j<qt) as 
residues. We further refer to Vj j and Zjj, for j e S, as real residues and to others as 
fake residues. 

Let ^ be a number in NPR and B = {Z>j, b^, •••, b^} be a set of residues in CRT 
reduced from ^ by a set of pairwise co-prime numbers P. We refer to B as the 
representative (of A) if is a set of real residues and the product of all members of P 
is greater than ,4. 

Definition; Polynomially Distinguishable & Polynomially Indistinguishable 

We say that A and B are polynomially distinguishable if the identification of 
either A or B, with non-negligible success rate, is of polynomial complexity. 
Otherwise, we say A and B are polynomially indistinguishable. 

Definition; Binary Set, Compact Set and Density 

Let A = {«j, « 2 ) •••> a set used in forming subset sum in the following way: 

n 

i=\ 

We call A a binary set if x\ takes on only two distinct values, and a trinary set if it 
takes on only three distinct values; else we call A a compact set. Denoting a as the 
largest element in A, the density of A, withx; £ [0, 2**) for some positive integer h, is 
defined to be: 



nh 

lg2(«) ' 



Observation; Verifiability 

Let the largest number in Y u U be ft We observe that, to avoid overflow during 
encryption, the construct of SYS has k real residues in any row vector (i.e. v. or z.) 
represent an NPR number no larger than ft yet any k residues with at least one fake 
residue will, with high probability, represent an NPR number greater than ft 
Therefore, if a set of k residues are tested to represent an NPR number no larger than 
ft with high probability they are real residues. In fact, once a set of residues in a row 
vector whose corresponding (final) moduli have a product greater than ft are tested to 
represent an NPR number no larger than ft with high probability, they are a 
representative. 
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Observation: Complexity Upperbound 

Let I denote the size of the smallest representative in v. and z.. We observe that 
the value of / depends on the value of k and the sizes of pj but is smaller than k by 
only a small constant. Even though the value of neither k nor I nor 6 is made publicly 
known, for our security analysis, we may conservatively assume that they all are or 
they all can be pretty accurately estimated. According to Verifiability Observation, 
once / or more indices are chosen where the corresponding indexed residues in Vj and 
z. are tested to represent NPR numbers no larger than 9, the indices are almost always 
those of real residues comprising representatives. One can obviously bruteforce all 
possible combinations of I or more residues, and the complexity is upperbounded 
approximately by: 




q(t — l + i) 
i 



Theorem: Existence 

There exists an asymmetric encryption key that is polynomially indistinguishable 
from random bits. 

We will not prove Existence Theorem directly. Instead, we establish a security 
aspect of SYS by restating the Existence Theorem as the following lemma that we 
prove. It should be obvious that the establishment of the following lemma would 
automatically have established Existence Theorem. 

Lemma: Indistinguishability 

The real residues (and the fake residues) are polynomially indistinguishable. And 
thus the encryption key is polynomially indistinguishable from random bits. 

Proof of Indistinguishability Lemma 

First, we develop an informal argument. We observe that any real residue is just 
an element in U or Y reduced by a final modulus. (If the reduction is multiplicative 
modular reduction with some random multiplier, this observation still applies.) Since 
all of X and W, by the very construction as specified for SYS, are random, and the 
iteration moduli and modular multipliers for the transformation of X and W are 
random as well, the whole process in producing the real residues is random. We 
further observe that due to the nature of the process, there are two and only two 
properties associated with the encryption key, namely the superincreasing property 
and the property revealed in Verifiability Observation. 

By CRT and the theorem of Szabo (1961)[3], the identificaion of representatives 
is required for the exploitation of the properties. Therefore, without knowing the 
indices of the real residues comprising representatives, we are not able to distinguish 
real and fake residues. 

Let the exploitation function O be an oracle that we call upon to distinguish any 
real residue, and let D be a distinguisher for distinguishing real residues. To exploit 
the properties, D has to make calls to the oracle, supplying the indices of real residues 
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comprising representatives. But those are what D is looking for and can not get 
without the use of the oracle. 

Formally, we define D and O as follows: 

D((i) = 01 and 0((i) = 01' 

where 0 and are each a three-tuple (V, Z, A) with A being a list of sets of 
indices for residues. If D identifies any real residues or if O verifies any real residues 
through either of the two properties, it will output their indices as a set in else it will 
output an empty set in A. Without loss of generality, we assume the sets are output in 
the list in a certain order, e.g. the row order of the matrix of V and Z defined for SYS. 

Let us assume that the two properties can be exploited without us knowing any 
indices of real residues comprising representatives. 

We have four and only four basic configurations to consider: 

1. 0((Zi) is called after a call to D(^) which is called first 

2. D(^) is called after a call to O(^) which is called first 

3. O(^) is called within a call to D((^) which is called first 

4. D((Zi) is called within a call to O(^) which is called first 

If D can not distinguish any real residue, it will not be able to at any point during 
its execution. O, on the other hand, can not exploit the two properties unless indices of 
real residues comprising representatives are supplied as input in A. Considering that 
we do not have the indices for the top level calls to either D or O as assumed, each of 
the configurations can be easily verified as unable to distinquish any real or fake 
residue. Using induction, any nested levels of calls between D and O in any of the 
combinations of the four basic configurations can be easily shown to fail as well. The 
two properties of the encryption key are not exploitable. We have reached a 
contradiction. 

Therefore, D is a function that identifies real residues without relying on the 
properties of the real residues. In other words, D is a distinguisher applying no criteria 
for its selection (of indices) and is no better than bruteforcing the possible 
combinations of the residues, which according to Complexity Upperbound 
Observation is of at least exponential complexity. 

In conclusion, it requires at least exponential complexity to distinguish the real 
residues and, as a direct consequence, the encryption key itself can only be 
distinguished from random bits with at least exponential complexity. 

Since S is not obtainable with less than exponential complexity, the following 
lemma follows. 

Lemma: Key Security 

Obtaining a corresponding decryption key from an encryption key of SYS is of at 
least exponential complexity. 

The strength of the ciphertext produced by SYS is analyzed next. 

Since it requires at least exponential complexity to distinguish the decryption key 
of SYS from random bits, the ciphertext by SYS is effectively the subset sum of a 
random set. Since the subset sum problem of random sets is NP-complete, the 
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ciphertext by SYS is of exponential complexity (at least in the worst case scenario) 
under the assumption of NP a EXP, which can be seen as a simple, direct result from 
Indistinguishability Lemma. 

We observe that the encryption key set can be of high density (e.g. take n=h=32, 
t=100, and the 100 largest primes smaller than 2^^ as the final moduli, the density is at 
least 1 .28). The average number (2*^) of solutions to a random subset sum problem is 
related to the density of the set in the following manner: 

^ Ig2(2n)-Hh-Hc 
lg2(fl) 

where d is the density, 2n is the number of elements in the set, 2**-l is the maximum 
number of times an element can be added to the subset sum, a is the largest element in 
the set, and c is the exponent associated with the average number of solutions to a 
random subset sum. 

We now consider the general strength of the ciphertext by SYS, particularly in 
terms of lattice basis reduction (LBR) which has been the most general and successful 
in attacking knapsack type cryptosystems. We first observe that LBR (with its various 
improvements) is ineffective or inefficient dealing with compact sets. However, if a 
compact set can be easily converted to a binary set, LBR can be a threat, especially 
when the set is of low density. High density compact sets may still be vulnerable. An 
example is the cryptographic scheme proposed by Orton[4]. The problem with such 
sets is that the ‘extra’ elements that make the sets dense are highly linear with other 
elements in the sets. In SYS, the functions^} are non-linear as there is no restriction on 
whaty) should be, and_/) are not restricted by, or related to, any other key parameters 
in any fashion. The non-linearity leaves out the chance for an equivalent binary set to 
facilitate attacks like LBR. 

Therefore, by the non-linearity of and the density of the set(s), the easy 
instances of subset sum problems, where it is only required to find any one solution, 
are removed. The problem posed by SYS requires the finding of a specific subset (or 
vector), uniquely determined by fi, from an exponential number of subset sum 
solutions. 
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